diff options
775 files changed, 66765 insertions, 1525 deletions
diff --git a/contrib/pw-am.sh b/contrib/pw-am.sh index 8987eee8eb..d9d1187b0b 100755 --- a/contrib/pw-am.sh +++ b/contrib/pw-am.sh @@ -9,7 +9,7 @@ for patchnumber in $@; do - wget -nv http://patches.openembedded.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch + wget -nv http://patchwork.yoctoproject.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch git am -s pw-am-$patchnumber.patch rm pw-am-$patchnumber.patch done diff --git a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb index d9864ac3e8..e4a0f95692 100644 --- a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb +++ b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb @@ -11,7 +11,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://fsck.c;md5=3859dc73da97909ff1d0125e88a27e02" DEPENDS = "zlib" -SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git \ +SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git;branch=master;protocol=https \ file://0001-Add-LDFLAGS-to-linker-cmdline.patch \ file://0001-btree-Avoid-conflicts-with-libc-namespace-about-setk.patch \ file://0001-include-sys-sysmacros.h-for-major-minor-definition.patch \ diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb index 6f5cb6cee9..efb331d7b2 100644 --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb @@ -10,8 +10,7 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \ file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \ " S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}" -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c" -SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5" +SRC_URI[sha256sum] = "f20e36ee68074b845e3629e6bced4706ad053804cbaf062fbae60738f854170c" UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/" UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz" @@ -50,3 +49,5 @@ do_install_append() { # Satisfy the -dev runtime dependency ALLOW_EMPTY_${PN} = "1" + +CVE_PRODUCT = "tuxera:ntfs-3g" diff --git a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb index 414084449f..9e546e8a39 100644 --- a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb +++ b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=628b867016631792781a8735a04760e5 \ DEPENDS = "fuse virtual/libusb0" # v3.2p3 SRCREV = "3744375dfaa350e31c9b360eb1e1a517bbeb5c47" -SRC_URI = "git://github.com/owfs/owfs \ +SRC_URI = "git://github.com/owfs/owfs;branch=master;protocol=https \ file://0001-Add-build-rule-for-README.patch \ file://owhttpd \ file://owserver \ diff --git a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb index bf9c34dc97..9b776e9dc7 100644 --- a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb +++ b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2" DEPENDS = "glib-2.0 fuse3" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/libfuse/sshfs" +SRC_URI = "git://github.com/libfuse/sshfs;branch=master;protocol=https" SRCREV = "a7e1038203c856cc7e052d439d1da49fe131339f" S = "${WORKDIR}/git" diff --git a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb index 3dd5c82ee5..13273f7bc8 100644 --- a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb +++ b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/unionfs.c;beginline=3;endline=8;md5=30fa8de70fd8a file://LICENSE;md5=7e5a37fce17307066eec6b23546da3b3 \ " -SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master \ +SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master;protocol=https \ file://0001-support-cross-compiling.patch \ " SRCREV = "8d732962423c3ca5be1f14b7ec139ff464e10a51" diff --git a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb index 24b17fc93b..dc9132a82e 100644 --- a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb +++ b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb @@ -22,6 +22,8 @@ UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>3(\.\d+)+).tar.xz" inherit meson pkgconfig +CVE_PRODUCT = "fuse_project:fuse" + DEPENDS = "udev" PACKAGES =+ "fuse3-utils" diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb index 95e870691c..4ec1213519 100644 --- a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb +++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb @@ -19,9 +19,16 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar. SRC_URI[md5sum] = "8000410aadc9231fd48495f7642f3312" SRC_URI[sha256sum] = "d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5" +# CVE-2019-14860 is a REDHAT specific issue and was addressed for REDHAT Fuse products on Red Hat Fuse 7.4.1 and Red Hat Fuse 7.5.0. +# REDHAT has also released the fix and updated their security advisories after significant releases. +CVE_PRODUCT = "fuse" +CVE_CHECK_WHITELIST += "CVE-2019-14860" + UPSTREAM_CHECK_URI = "https://github.com/libfuse/libfuse/releases" UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>2(\.\d+)+).tar.gz" +CVE_PRODUCT = "fuse_project:fuse" + inherit autotools pkgconfig update-rc.d systemd INITSCRIPT_NAME = "fuse" diff --git a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb index 98bd478f32..2c5a9e16b3 100644 --- a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb +++ b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb @@ -9,7 +9,7 @@ DEPENDS = "util-linux" # v1.13.0 SRCREV = "284f77f0075a16a2ad1f3b0fb89b7f64a1bc755d" -SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git \ +SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git;branch=master \ file://0001-f2fs-tools-Use-srcdir-prefix-to-denote-include-path.patch \ " S = "${WORKDIR}/git" diff --git a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb index c72671739d..c90a7ecc2b 100644 --- a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb +++ b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb @@ -7,7 +7,7 @@ HOMEPAGE = "https://github.com/Gregwar/fatcat" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=57fbbfebd0dd1d6ff21b8cecb552a03f" -SRC_URI = "git://github.com/Gregwar/fatcat.git \ +SRC_URI = "git://github.com/Gregwar/fatcat.git;branch=master;protocol=https \ file://0001-Use-unistd.h-not-argp.h-for-all-POSIX-systems.patch \ " diff --git a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb index 88d495b685..c258a128ee 100644 --- a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb +++ b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb @@ -3,7 +3,7 @@ SECTION = "console/tools" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https" +SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https;branch=master" SRCREV = "3f80afc76ad82d4a1b852a6c8dea24cd9f5e7a24" PV = "1.0.2-11" diff --git a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb index 23583650b8..ed003ee7be 100644 --- a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb +++ b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb @@ -8,7 +8,7 @@ BRANCH ?= "dev" SRCREV = "a3cf93b66f4606a46354cf884d24aa966661f848" -SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=git;branch=${BRANCH} \ +SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=https;branch=${BRANCH} \ file://0001-Replace-u_intXX_t-with-kernel-typedefs.patch \ " diff --git a/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb b/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb index a47bf6fcf8..b10efbedc5 100644 --- a/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb +++ b/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb @@ -10,7 +10,7 @@ DEPENDS = " \ libpam \ " -REQUIRED_DISTRO_FEATURES = "x11 systemd pam" +REQUIRED_DISTRO_FEATURES = "x11 systemd pam polkit" inherit gnomebase gsettings gobject-introspection gettext systemd useradd upstream-version-is-even features_check diff --git a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb index 90e5533015..7564275668 100644 --- a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb +++ b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb @@ -6,7 +6,7 @@ DEPENDS = "glib-2.0 gtk+3 gdk-pixbuf clutter-1.0 clutter-gtk-1.0 libsoup-2.4" inherit meson gobject-introspection SRCREV = "145e417f32e507b63c21ad4e915b808a6174099e" -SRC_URI = "git://github.com/gnome/libchamplain.git" +SRC_URI = "git://github.com/gnome/libchamplain.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb b/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb index e2ced395c1..aa6492de4c 100644 --- a/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb +++ b/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb @@ -24,7 +24,7 @@ REQUIRED_DISTRO_FEATURES = "gobject-introspection-data" UNKNOWN_CONFIGURE_WHITELIST_append = " introspection" PACKAGECONFIG ??= " \ - ffmpeg \ + ${@bb.utils.contains("LICENSE_FLAGS_WHITELIST", "commercial", "ffmpeg", "", d)} \ flac \ gexiv2 \ gstreamer \ diff --git a/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb b/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb index ad69ab68c3..cee4ed497e 100644 --- a/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb +++ b/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb @@ -16,7 +16,9 @@ SRC_URI += "file://0001-sysprof-Define-NT_GNU_BUILD_ID-if-undefined.patch \ file://0001-libsysprof-ui-Rename-environ-to-sys_environ.patch \ " -PACKAGECONFIG ?= "sysprofd libsysprof ${@bb.utils.contains_any('DISTRO_FEATURES', '${GTK3DISTROFEATURES}', 'gtk', '', d)}" +PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'sysprofd', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'libsysprof', '', d)} \ + ${@bb.utils.contains_any('DISTRO_FEATURES', '${GTK3DISTROFEATURES}', 'gtk', '', d)}" PACKAGECONFIG[gtk] = "-Denable_gtk=true,-Denable_gtk=false,gtk+3 libdazzle" PACKAGECONFIG[sysprofd] = "-Dwith_sysprofd=bundled,-Dwith_sysprofd=none,polkit" PACKAGECONFIG[libsysprof] = "-Dlibsysprof=true,-Dlibsysprof=false,polkit" diff --git a/meta-gnome/recipes-support/ibus/ibus.inc b/meta-gnome/recipes-support/ibus/ibus.inc index 1bbeb2c481..2e03f7c6a7 100644 --- a/meta-gnome/recipes-support/ibus/ibus.inc +++ b/meta-gnome/recipes-support/ibus/ibus.inc @@ -10,7 +10,7 @@ PV = "1.5.22" DEPENDS = "unicode-ucd" SRC_URI = " \ - git://github.com/ibus/ibus.git \ + git://github.com/ibus/ibus.git;branch=main;protocol=https \ file://0001-Do-not-try-to-start-dbus-we-do-not-have-dbus-lauch.patch \ " SRCREV = "e3262f08b9e3efc57808700823b0622ec03a1b5f" diff --git a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb index d567d00d3f..fb4c816729 100644 --- a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb +++ b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb @@ -13,7 +13,7 @@ B = "${S}" SRCREV = "736ccef40d39603b8111c8a3a0bca0319bbafdc0" PV = "3.0+git${SRCPV}" -SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0 \ +SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0;protocol=https \ " RDEPENDS_${PN} = "gtk+" diff --git a/meta-gnome/recipes-support/libhandy/libhandy_git.bb b/meta-gnome/recipes-support/libhandy/libhandy_git.bb index 8c6159f998..6d63ddb86a 100644 --- a/meta-gnome/recipes-support/libhandy/libhandy_git.bb +++ b/meta-gnome/recipes-support/libhandy/libhandy_git.bb @@ -2,7 +2,7 @@ SUMMARY = "A library full of GTK+ widgets for mobile phones" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https" +SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https;branch=master" SRCREV = "ef7c4bf75ae239495141ada83d2fbaf034315563" S = "${WORKDIR}/git" PV = "0.0.12" diff --git a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb index 96dd880b6a..837807ccf9 100644 --- a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb +++ b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2750797da77c1d784e7626b3f7d7ff3e" DEPENDS_class-target = "${BPN}-native" SRC_URI = "\ - git://github.com/snowballstem/snowball.git \ + git://github.com/snowballstem/snowball.git;branch=master;protocol=https \ file://0001-Build-so-lib.patch \ file://0002-snowball-stemwords-do-link-with-LDFLAGS-set-by-build.patch \ " diff --git a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb index 6fb3b82ef1..5db78b7cf7 100644 --- a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb +++ b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb @@ -9,6 +9,6 @@ DEPENDS = " \ inherit autotools pkgconfig -SRC_URI = "git://github.com/linuxwacom/libwacom.git" +SRC_URI = "git://github.com/linuxwacom/libwacom.git;branch=master;protocol=https" SRCREV = "87cc710e21a6220e267dd08936bbec2932aa3658" S = "${WORKDIR}/git" diff --git a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb index ed3dece3f6..ee05045320 100644 --- a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb +++ b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" PV = "0.6+git${SRCPV}" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/kexecboot/kexecboot.git" +SRC_URI = "git://github.com/kexecboot/kexecboot.git;branch=master;protocol=https" SRC_URI_append_libc-klibc = " file://0001-kexecboot-Use-new-reboot-API-with-klibc.patch " SRCREV = "5a5e04be206140059f42ac786d424da1afaa04b6" diff --git a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb index 13cf5f6ded..dd22b196fa 100644 --- a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb +++ b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb @@ -10,7 +10,7 @@ PV = "049" # v048 tag SRCREV = "225e4b94cbdb702cf512490dcd2ad9ca5f5b22c1" -SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http \ +SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http;branch=master \ file://0001-util.h-include-sys-reg.h-when-libc-glibc.patch \ file://0001-dracut.sh-improve-udevdir.patch \ file://0001-set-viriable-_drv-not-local.patch \ diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb index 7403cf64f7..c890165b6a 100644 --- a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb +++ b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb @@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo" S = "${WORKDIR}/git" SRCREV = "79c5cfa02c567efdc5bb18cdd584789e2e35aa23" -SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \ +SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=master \ file://grubby-rename-grub2-editenv-to-grub-editenv.patch \ file://run-ptest \ file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \ diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb index 7248147a5c..9d3d7b55cc 100644 --- a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb +++ b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb @@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo" S = "${WORKDIR}/git" SRCREV = "a1d2ae93408c3408e672d7eba4550fdf27fb0201" -SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \ +SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=main \ file://grubby-rename-grub2-editenv-to-grub-editenv.patch \ file://run-ptest \ file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \ diff --git a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb index d322381621..fe5898a903 100644 --- a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb +++ b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ inherit autotools pkgconfig klibc SRCREV = "64f61a9dc71b158c7084006cbce4ea23886f0b47" -SRC_URI = "git://git.infradead.org/mtd-utils.git \ +SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \ file://0001-libmissing.h-fix-klibc-build-when-using-glibc-toolch.patch \ file://0002-Instead-of-doing-preprocessor-magic-just-output-off_.patch \ file://0003-Makefile.am-only-build-ubi-utils.patch \ diff --git a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb index 7ad55d8b8c..143ac6f433 100644 --- a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb +++ b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb @@ -12,7 +12,7 @@ DEPENDS = "zlib xz" inherit klibc autotools -SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git" +SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git;branch=master" SRCREV = "5750980cdbbc33ef75bfba6660295b932376ce15" BUILD_PATCHES = "file://0001-force-static-build.patch \ diff --git a/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch new file mode 100644 index 0000000000..695a2c94f0 --- /dev/null +++ b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch @@ -0,0 +1,75 @@ +From c805c1de1141cb22f74c0d94dd5664bda37398e0 Mon Sep 17 00:00:00 2001 +From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com> +Date: Thu, 4 Jun 2020 12:03:03 -0300 +Subject: [PATCH] Fixes #177: NULL pointer dereference in + FindServiceControlURLPath + +Also fixes its dual bug in FindServiceEventURLPath. + +Reference: +https://nvd.nist.gov/vuln/detail/CVE-2020-13848 + +Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0] +CVE: CVE-2020-13848 +Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com> + +--- + ChangeLog | 6 ++++++ + upnp/src/genlib/service_table/service_table.c | 16 ++++++++++------ + 2 files changed, 16 insertions(+), 6 deletions(-) +diff --git a/ChangeLog b/ChangeLog +index 4a956fc..265d268 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -2,6 +2,12 @@ + Version 1.8.4 + ******************************************************************************* + ++2020-06-04 Patrik Lantz pjlantz(at)github ++ ++ Fixes #177 ++ ++ NULL pointer dereference in FindServiceControlURLPath ++ + 2017-11-17 Marcelo Jimenez <mroberto(at)users.sourceforge.net> + + GitHub #57 - 1.8.3 broke ABI without changing SONAME +diff --git a/upnp/src/genlib/service_table/service_table.c b/upnp/src/genlib/service_table/service_table.c +index 98c2c0f..f3ee4e5 100644 +--- a/upnp/src/genlib/service_table/service_table.c ++++ b/upnp/src/genlib/service_table/service_table.c +@@ -300,12 +300,11 @@ FindServiceEventURLPath( service_table * table, + uri_type parsed_url; + uri_type parsed_url_in; + +- if( ( table ) +- && +- ( parse_uri( eventURLPath, +- strlen( eventURLPath ), +- &parsed_url_in ) == HTTP_SUCCESS ) ) { +- ++ if (!table || !eventURLPath) { ++ return NULL; ++ } ++ if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) == ++ HTTP_SUCCESS) { + finger = table->serviceList; + while( finger ) { + if( finger->eventURL ) +@@ -352,11 +351,11 @@ FindServiceControlURLPath( service_table * table, + uri_type parsed_url; + uri_type parsed_url_in; + +- if( ( table ) +- && +- ( parse_uri +- ( controlURLPath, strlen( controlURLPath ), +- &parsed_url_in ) == HTTP_SUCCESS ) ) { ++ if (!table || !controlURLPath) { ++ return NULL; ++ } ++ if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) == ++ HTTP_SUCCESS) { + finger = table->serviceList; + while( finger ) { + if( finger->controlURL ) diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb index 339c07cd96..ef473c4896 100644 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb @@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=394a0f17b97f33426275571e15920434" PV = "1.8.4+git${SRCPV}" # release-1.8.4 SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d" -SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https" +SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https;branch=master \ + file://CVE-2020-13848.patch" S="${WORKDIR}/git" diff --git a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb index 20faef047e..32e74f08c3 100644 --- a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb +++ b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb @@ -8,7 +8,7 @@ DEPENDS = "avahi cmake-native dvb-apps libdvbcsa libpcre2 openssl uriparser zlib LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=9cae5acac2e9ee2fc3aec01ac88ce5db" -SRC_URI = "git://github.com/tvheadend/tvheadend.git \ +SRC_URI = "git://github.com/tvheadend/tvheadend.git;branch=master;protocol=https \ file://0001-adjust-for-64bit-time_t.patch \ file://0001-allocate-space-for-buf-on-heap.patch \ " diff --git a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb index 1a51abc360..343b9d7915 100644 --- a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb +++ b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb @@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c" SRCREV = "b93deed1a231dd6dd7e39b9fe7d2abe05aa00158" -SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https \ +SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https;branch=master \ file://0001-define-BASELIB-make-variable.patch \ " diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb index f23bc6ca81..c89156dcf8 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "glib-2.0 dbus dleyna-core" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "de913c35e5c936e2d40ddbd276ee902cd802bd3a" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb index 8939cd36e2..647532d9fa 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb @@ -13,7 +13,7 @@ DEPENDS = "glib-2.0 gupnp" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "1c6853f5bc697dc0a8774fd70dbc915c4dbe7c5b" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb index 642f21bd53..4b53763440 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 dleyna-core" RDEPENDS_${PN} = "dleyna-connector-dbus" -SRC_URI = "git://github.com/01org/${BPN}.git \ +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https \ file://0001-add-gupnp-1.2-API-support.patch \ " SRCREV = "50fd1ec9d51328e7dea98874129dc8d6fe3ea1dd" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb index e31b7aea2a..5fa3e2373a 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb @@ -12,7 +12,7 @@ DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 libxml2 dleyna-c RDEPENDS_${PN} = "dleyna-connector-dbus" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "eb895ae82715e9889a948ffa810c0f828b4f4c76" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb index d7911681c7..c499119c6f 100644 --- a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb +++ b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb @@ -11,7 +11,7 @@ LICENSE = "Fraunhofer_FDK_AAC_Codec_Library_for_Android" LICENSE_FLAGS = "commercial" LIC_FILES_CHKSUM = "file://NOTICE;md5=5985e1e12f4afa710d64ed7bfd291875" -SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=git;branch=master" +SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=https;branch=master" SRCREV = "d387d3b6ed79ff9a82c60440bdd86e6e5e324bec" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc index fcc9df8c30..ee3e38cd93 100644 --- a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc +++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc @@ -4,7 +4,7 @@ SECTION = "libs/multimedia" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594" -SRC_URI = "git://github.com/FluidSynth/fluidsynth.git" +SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https" SRCREV = "19a20eb8526465fdf940b740b13462d71e190a1a" S = "${WORKDIR}/git" PV = "2.1.3" diff --git a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb index c96e4c52e9..2f9ceffab7 100644 --- a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb +++ b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb @@ -3,7 +3,7 @@ Description = "Gerbera - An UPnP media server" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=25cdec9afe3f1f26212ead6bd2f7fac8" -SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https \ +SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https;branch=master \ " PV = "1.3.2" diff --git a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb index d047caef5f..19d43a4b74 100644 --- a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb +++ b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb @@ -14,10 +14,10 @@ PV = "0.6.1" SRCREV_base = "c41a05cc9e2310c2f73eda4b4f0b4477bf4479c5" SRCREV_common = "88e512ca7197a45c4114f7fa993108f23245bf50" - +SRCREV_FORMAT = "base_common" SRC_URI = " \ git://github.com/RidgeRun/gst-shark.git;protocol=https;branch=${SRCBRANCH};name=base \ - git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common; \ + git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb index 3f8fe2f360..e16fd25962 100644 --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "\ " SRC_URI = " \ - git://linuxtv.org/libcamera.git;protocol=git \ + git://linuxtv.org/libcamera.git;protocol=git;branch=master \ " SRCREV = "a8be6e94e79f602d543a15afd44ef60e378b138f" diff --git a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb index 7f042c382f..4cf8e2effc 100644 --- a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb +++ b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "bc6c0b164a87ce05e9925785cc6fb3f54c02b026" -SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https \ +SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https;branch=master \ file://libdvbcsa.pc \ " diff --git a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb index f060f1e80d..cb42d943fc 100644 --- a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb +++ b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://alpha.cpp;beginline=3;endline=22;md5=6665e479f71feb92 PV = "1.10+git${SRCPV}" SRCREV = "52e7d93c5947f72380521116c05d97c528863ba8" -SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https" +SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb index b313b110cc..4631b037be 100644 --- a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb +++ b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb @@ -20,7 +20,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=416ef1ca5167707fe381d7be33664a33" DEPENDS = "curl-native icu" SRCREV = "67e43bf0fa56008276b878ec3790aa5f32eb2a16" -SRC_URI = "git://github.com/MycroftAI/mimic.git" +SRC_URI = "git://github.com/MycroftAI/mimic.git;branch=master;protocol=https" inherit autotools diff --git a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb index ca9d94a19c..253f995d88 100644 --- a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb +++ b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb @@ -8,7 +8,7 @@ DEPENDS = "expat libxml2 libxml2-native neon neon-native" PV = "5.1.0+git${SRCPV}" SRCREV = "44c05779dd996035758f5ec426766aeedce29cc3" -SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git \ +SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git;branch=master;protocol=https \ file://allow-libdir-override.patch " S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb index 235e63e481..84b7baab23 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://www.musicpd.org/libs/libmpdclient/" inherit meson SRC_URI = " \ - git://github.com/MusicPlayerDaemon/libmpdclient \ + git://github.com/MusicPlayerDaemon/libmpdclient;branch=master;protocol=https \ " SRCREV = "4e8d990eb5239566ee948f1cd79b7248e008620a" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb index 41abe7108a..b4fce35df7 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb @@ -10,7 +10,7 @@ DEPENDS += " \ " SRC_URI = " \ - git://github.com/MusicPlayerDaemon/mpc \ + git://github.com/MusicPlayerDaemon/mpc;branch=master;protocol=https \ " SRCREV = "59875acdf34e5f0eac0c11453c49daef54f78413" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb index 133ee6e792..3f20515993 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb @@ -17,7 +17,7 @@ DEPENDS += " \ " SRC_URI = " \ - git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x \ + git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x;protocol=https \ file://mpd.conf.in \ file://0001-StringBuffer-Include-cstddef-for-size_t.patch \ file://0002-Include-stdexcept-for-runtime_error.patch \ diff --git a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb index 0c99c7c698..c92a4421a3 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb @@ -31,7 +31,7 @@ PACKAGECONFIG[outputs_screen] = "-Doutputs_screen=true,-Doutputs_screen=false" PACKAGECONFIG[chat_screen] = "-Dchat_screen=true,-Dchat_screen=false" SRC_URI = " \ - git://github.com/MusicPlayerDaemon/ncmpc \ + git://github.com/MusicPlayerDaemon/ncmpc;branch=master;protocol=https \ " SRCREV = "79cf9905355f25bc5cc6d5a05d2846d75342f554" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb index 62d1ad7f74..e71cb87014 100644 --- a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb +++ b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb @@ -7,7 +7,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=79aa497b11564d1d419ee889e7b498f6" SRCREV = "913f29d3d550637934f9abf43a097eb2c30d76fc" -SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master \ +SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master;protocol=https \ file://0001-Remove-python-venv.patch \ file://0002-dev_setup.sh-Remove-the-git-dependency.patch \ file://0003-dev_setup.sh-Remove-the-TERM-dependency.patch \ diff --git a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb index a9cdfac8a9..5787f22036 100644 --- a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb +++ b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb @@ -7,7 +7,7 @@ inherit cmake pkgconfig # openal-soft-1.19.1 SRCREV = "6761218e51699f46bf25c377e65b3e9ea5e434b9" -SRC_URI = "git://github.com/kcat/openal-soft \ +SRC_URI = "git://github.com/kcat/openal-soft;branch=master;protocol=https \ file://0001-Use-BUILD_CC-to-compile-native-tools.patch \ file://0002-makehrtf-Disable-Wstringop-truncation.patch \ " diff --git a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb index 5f78be4f51..53ee2a82fb 100644 --- a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb +++ b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb @@ -9,7 +9,7 @@ DEPENDS = "gnutls zlib" SRCREV = "fa8646daeb19dfd12c181f7d19de708d623704c0" SRC_URI = " \ - git://git.ffmpeg.org/rtmpdump \ + git://git.ffmpeg.org/rtmpdump;branch=master \ file://fix-racing-build-issue.patch" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb index 70eb6e4be7..47f7af46bd 100644 --- a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb +++ b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb @@ -3,7 +3,7 @@ LICENSE = "CC-BY-3.0" # http://www.bigbuckbunny.org/index.php/about/ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7" -SRC_URI = "http://themazzone.com/big_buck_bunny_1080p_surround.avi" +SRC_URI = "http://www.peach.themazzone.com/big_buck_bunny_1080p_surround.avi" SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a" SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea" diff --git a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb index 062096892e..68cf8795a6 100644 --- a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb +++ b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb @@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://NOTICE;md5=dbdefe400d894b510a9de14813181d0b" SRCREV = "8449529c7e50f432091539ba7b438e79b04059b5" -SRC_URI = "git://github.com/tinyalsa/tinyalsa \ +SRC_URI = "git://github.com/tinyalsa/tinyalsa;branch=master;protocol=https \ file://0001-Use-CMAKE_INSTALL_-path-instead-of-hardcoding-bin-li.patch \ " PV = "1.1.1+git${SRCPV}" diff --git a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb index 6abf6080bd..f8ab1bf680 100644 --- a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb +++ b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=db1b7a668b2a6f47b2af88fb008ad555 \ file://os.h;beginline=3;endline=14;md5=5c0af5e1bedef3ce8178c89f48cd6f1f" DEPENDS = "libogg" -SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https \ +SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https;branch=master \ file://obsolete_automake_macros.patch;striplevel=0 \ file://tremor-arm-thumb2.patch \ " diff --git a/meta-multimedia/recipes-support/crossguid/crossguid.bb b/meta-multimedia/recipes-support/crossguid/crossguid.bb index 228b8b6540..f2d6e7a241 100644 --- a/meta-multimedia/recipes-support/crossguid/crossguid.bb +++ b/meta-multimedia/recipes-support/crossguid/crossguid.bb @@ -10,7 +10,7 @@ DEPENDS += "util-linux" PV = "0.0+git${SRCPV}" SRCREV = "b56957ac453575e91ca1b63a80c0077c2b0d011a" -SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https" +SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb index feffa9fe19..50c69a9a08 100644 --- a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb +++ b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb @@ -9,7 +9,7 @@ DEPENDS = "gstreamer1.0" S = "${WORKDIR}/git" SRCREV = "3b862e52e5c53ad1023dc6808effa4cb75572c4b" -SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;" +SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;branch=master" FILES_${PN}-staticdev += "${libdir}/gstreamer-1.0/*a" FILES_${PN} += "${libdir}/*" diff --git a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb index d4a62bd92d..4cb85f8151 100644 --- a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb +++ b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb @@ -2,7 +2,7 @@ SUMMARY = "a SocketCAN over Ethernet tunnel" HOMEPAGE = "https://github.com/mguentner/cannelloni" LICENSE = "GPLv2" -SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https \ +SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https;branch=master \ file://0001-Use-GNUInstallDirs-instead-of-hard-coding-paths.patch \ file://0002-include-missing-stdexcept-for-runtime_error.patch \ " diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb index 2820f9fa6d..e9c2056180 100644 --- a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb +++ b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=50bd1d7f135b50d7e218996ba28d0d88" SRCREV = "4b440a339979852d5a51fb11a822952712231c23" PV = "1.12+git${SRCPV}" -SRC_URI = "git://github.com/civetweb/civetweb.git \ +SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ " diff --git a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb index 90051a319a..f856655904 100644 --- a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb +++ b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=7236695bb6d4461c105d685a8b61c4e3" SRCREV = "c4b0ed52e751da7823dd9a36e91f93a6310e5525" -SRC_URI = "git://github.com/tomaszmrugalski/dibbler \ +SRC_URI = "git://github.com/tomaszmrugalski/dibbler;branch=master;protocol=https \ file://dibbler_fix_getSize_crash.patch \ file://0001-linux-port-Rename-pthread_mutex_t-variable-lock.patch \ " diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb index 2c39c4c443..1ea0cb16d3 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb @@ -13,7 +13,7 @@ LICENSE = "GPLv2 & LGPLv2+" LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" -SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0; \ +SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;protocol=https \ file://freeradius \ file://volatiles.58_radiusd \ file://freeradius-enble-user-in-conf.patch \ diff --git a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb index 5b27cfe155..c1a8146119 100644 --- a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb +++ b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=0036c1b155f4e999f3e0a373490b5db9" -SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1" +SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1;protocol=https" SRCREV = "12fca29a6d4e99d1b923d6820887fe7b24226904" UPSTREAM_CHECK_GITTAGREGEX = "libdnet-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb index 8444f0b739..66a7aaa6b2 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=587b3fd7fd291e418ff4d2b8f3904755" SECTION = "libs/networking" -SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https" +SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https;branch=master" SRCREV = "1749fd7b039165a91b8d556b4df18e3e632ad830" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb index 77be27ffaa..6d035f4039 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb @@ -8,7 +8,7 @@ SECTION = "libs/networking" SRCREV = "53ae1a5ab37fdfc9ad5c236df3eaf4dd63f0fee9" -SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x" +SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb index 9f123c70fb..d91fc752e2 100644 --- a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb +++ b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb @@ -15,7 +15,7 @@ SRCREV = "5d22e9d22c4a3724d27b80b0cd9b898ae8f59d2b" PV = "0.98+git${SRCPV}" SRC_URI = " \ - git://github.com/CanonicalLtd/netplan.git \ + git://github.com/CanonicalLtd/netplan.git;branch=master;protocol=https \ " DEPENDS = "glib-2.0 libyaml ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb index 33a2b7c0ce..a28372dd1f 100644 --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb @@ -33,11 +33,12 @@ SRC_URI_append_libc-musl = " \ file://musl/0003-Fix-build-with-musl-for-n-dhcp4.patch \ file://musl/0004-Fix-build-with-musl-systemd-specific.patch \ " -SRC_URI[sha256sum] = "2b29ccc1531ba7ebba95a97f40c22b963838e8b6833745efe8e6fb71fd8fca77" +SRC_URI[sha256sum] = "377aa053752eaa304b72c9906f9efcd9fbd5f7f6cb4cd4ad72425a68982cffc6" S = "${WORKDIR}/NetworkManager-${PV}" EXTRA_OECONF = " \ + --disable-firewalld-zone \ --disable-ifcfg-rh \ --disable-more-warnings \ --with-iptables=${sbindir}/iptables \ diff --git a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb index 597c1920cf..144afb4843 100644 --- a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb +++ b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb @@ -3,7 +3,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=243b725d71bb5df4a1e5920b344b86ad" SRC_URI = " \ - git://git.infradead.org/users/dwmw2/openconnect.git \ + git://git.infradead.org/users/dwmw2/openconnect.git;branch=master \ file://0001-trojans-tncc-wrapper.py-convert-to-python3.patch \ " SRCREV = "ea73851969ae7a6ea54fdd2d2b8c94776af24b2a" diff --git a/meta-networking/recipes-connectivity/relayd/relayd_git.bb b/meta-networking/recipes-connectivity/relayd/relayd_git.bb index e3134e41fc..a75b43e062 100644 --- a/meta-networking/recipes-connectivity/relayd/relayd_git.bb +++ b/meta-networking/recipes-connectivity/relayd/relayd_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=17;md5=86aad799085683e0a2e1c2684a20bab DEPENDS = "libubox" -SRC_URI = "git://git.openwrt.org/project/relayd.git \ +SRC_URI = "git://git.openwrt.org/project/relayd.git;branch=master \ file://0001-rtnl_flush-Error-on-failed-write.patch \ " diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch new file mode 100644 index 0000000000..0d1cbe5ad4 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch @@ -0,0 +1,93 @@ +From 3f62a590b02bf4c888a995017e2575d3b2ec6ac9 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett <abartlet@samba.org> +Date: Tue, 12 Sep 2023 18:59:44 +1200 +Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by + default + +The rpcecho server is useful in development and testing, but should never +have been allowed into production, as it includes the facility to +do a blocking sleep() in the single-threaded rpc worker. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://www.samba.org/samba/ftp/patches/security/samba-4.17.12-security-2023-10-10.patch] +CVE: CVE-2023-42669 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- + lib/param/loadparm.c | 2 +- + selftest/target/Samba4.pm | 2 +- + source3/param/loadparm.c | 2 +- + source4/rpc_server/wscript_build | 3 ++- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +index 8a217cc..c6642b7 100644 +--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml ++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +@@ -6,6 +6,6 @@ + <para>Specifies which DCE/RPC endpoint servers should be run.</para> + </description> + +-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> ++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> + <value type="example">rpcecho</value> + </samba:parameter> +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 4c3dfff..db4ae5e 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2653,7 +2653,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); + lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); + +- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); ++ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); + lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); + /* the winbind method for domain controllers is for both RODC +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index a7a6c4c..ffa4b95 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -773,7 +773,7 @@ sub provision_raw_step1($$) + wins support = yes + server role = $ctx->{server_role} + server services = +echo $services +- dcerpc endpoint servers = +winreg +srvsvc ++ dcerpc endpoint servers = +winreg +srvsvc +rpcecho + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 0db44e9..b052d42 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -877,7 +877,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); + +- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); ++ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + + Globals.tls_enabled = true; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 510335a..a95e070 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -36,7 +36,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', + source='echo/rpc_echo.c', + subsystem='dcerpc_server', + init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' ++ deps='ndr-standard events', ++ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') + ) + + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb index 1a982368ec..3b8da2b1cb 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb @@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \ file://CVE-2020-14318.patch \ file://CVE-2020-14383.patch \ + file://CVE-2023-42669.patch \ " SRC_URI_append_libc-musl = " \ file://samba-pam.patch \ @@ -44,6 +45,10 @@ SRC_URI[sha256sum] = "7dcfc2aaaac565b959068788e6a43fc79ce2a03e7d523f5843f7a9fddf UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.10(\.\d+)+).tar.gz" inherit systemd waf-samba cpan-base perlnative update-rc.d + +# CVE-2011-2411 is valnerble only on HP NonStop Servers. +CVE_CHECK_WHITELIST += "CVE-2011-2411" + # remove default added RDEPENDS on perl RDEPENDS_${PN}_remove = "perl" diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch b/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch new file mode 100644 index 0000000000..9c268599ff --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch @@ -0,0 +1,36 @@ + * check-requirements now gives iptables output on failure. Patch thanks to + S. Nizio. + +Written by Jamie Strandboge <jamie@canonical.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id 9a6d8beb4cb1d1646c7d2a19e4aea9898f4571bb + +Removed ChangeLog patch due to backport status of this patch. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +--- check-requirements.orig 2012-12-03 16:37:20.214274095 +0100 ++++ ufw-0.33/tests/check-requirements 2012-12-03 16:40:16.298728133 +0100 +@@ -29,14 +29,19 @@ + runtime="yes" + shift 1 + fi +- if $@ >/dev/null 2>&1 ; then ++ local output ret=0 ++ # make sure to always return success below because of set -e ++ output=$( "$@" 2>&1 ) || ret=$? ++ if [ $ret -eq 0 ]; then + echo pass + else + if [ "$runtime" = "yes" ]; then + echo "FAIL (no runtime support)" ++ echo "error was: $output" + error_runtime="yes" + else + echo FAIL ++ echo "error was: $output" + error="yes" + fi + fi diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch b/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch new file mode 100644 index 0000000000..7a97773de0 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch @@ -0,0 +1,14903 @@ +use conntrack instead of state module. Patch based on work by S. Nizio. + +https://bugs.launchpad.net/ufw/+bug/1065297 + +The patch was imported from git://git.launchpad.net/ufw +commit id 2a24ab2c46a1370d230d380a7b794ac3f8296799 + +Removed ChangeLog patch due to backport status of this patch. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/README b/README +index 0cc2b2f..fead7c0 100644 +--- a/README ++++ b/README +@@ -24,13 +24,14 @@ Linux kernel configured with the following modules (not exhaustive): + limit + multiport + recent +- state +- +-* python2.5 is no longer supported +-** Systems with iptables below 1.4 will not have IPv6 application rule support. +- ufw will give a warning when users try to use this functionality, but ufw +- will otherwise work fine. ufw is known to work with iptables 1.3.8 in this +- degraded mode. ++ conntrack*** ++ ++* python2.5 is no longer supported ++** Systems with iptables below 1.4 will not have IPv6 application rule ++ support. ufw will give a warning when users try to use this functionality, ++ but ufw will otherwise work fine. ufw is known to work with iptables 1.3.8 ++ in this degraded mode. ++*** As of 0.34, the 'conntrack' modules is used instead of 'state' + + ufw has been widely tested on Linux 2.6.24 and higher kernels. You may also + use the check-requirements script in the tests/ directory to see if your +diff --git a/conf/before.rules b/conf/before.rules +index bc11f36..9917b87 100644 +--- a/conf/before.rules ++++ b/conf/before.rules +@@ -22,12 +22,12 @@ + -A ufw-before-output -o lo -j ACCEPT + + # quickly process packets for which we already have a connection +--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT +--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ++-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # drop INVALID packets (logs these in loglevel medium and higher) +--A ufw-before-input -m state --state INVALID -j ufw-logging-deny +--A ufw-before-input -m state --state INVALID -j DROP ++-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny ++-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + + # ok icmp codes + -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +diff --git a/conf/before6.rules b/conf/before6.rules +index fb1a8f1..8b7e4ff 100644 +--- a/conf/before6.rules ++++ b/conf/before6.rules +@@ -34,16 +34,16 @@ + -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT + + # quickly process packets for which we already have a connection +--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT +--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ++-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # for multicast ping replies from link-local addresses (these don't have an + # associated connection and would otherwise be marked INVALID) + -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT + + # drop INVALID packets (logs these in loglevel medium and higher) +--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny +--A ufw6-before-input -m state --state INVALID -j DROP ++-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny ++-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP + + # ok icmp codes + -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 +index d9e3d5a..76403d6 100644 +--- a/doc/ufw-framework.8 ++++ b/doc/ufw-framework.8 +@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: + net.ipv4.ip_forward=1 + .TP + Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: +- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ +- \-j ACCEPT +- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ ++ \-A ufw\-before\-forward \-m conntrack \\ ++ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT ++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ + \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT + .TP + Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section: +@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: + net.ipv4.ip_forward=1 + .TP + Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: +- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ +- \-j ACCEPT ++ \-A ufw\-before\-forward \-m conntrack \\ ++ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT + +- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\ +- \-\-state NEW \-j ACCEPT ++ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \\ ++ \-m conntrack \-\-ctstate NEW \-j ACCEPT + +- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ ++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ + \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT + + \-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT +diff --git a/locales/po/ufw.pot b/locales/po/ufw.pot +index fc56838..dc4b8e9 100644 +--- a/locales/po/ufw.pot ++++ b/locales/po/ufw.pot +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2012-08-12 10:55-0500\n" ++"POT-Creation-Date: 2012-12-03 14:33-0600\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" + "Language-Team: LANGUAGE <LL@li.org>\n" +@@ -21,7 +21,7 @@ msgstr "" + msgid ": Need at least python 2.6)\n" + msgstr "" + +-#: src/ufw:109 src/frontend.py:575 src/frontend.py:877 ++#: src/ufw:109 src/frontend.py:577 src/frontend.py:879 + msgid "Aborted" + msgstr "" + +@@ -103,7 +103,7 @@ msgstr "" + msgid "New profiles:" + msgstr "" + +-#: src/backend_iptables.py:88 src/backend.py:322 ++#: src/backend_iptables.py:88 src/backend.py:339 + #, python-format + msgid "Unsupported policy '%s'" + msgstr "" +@@ -130,44 +130,44 @@ msgstr "" + msgid "Checking raw ip6tables\n" + msgstr "" + +-#: src/backend_iptables.py:250 ++#: src/backend_iptables.py:253 + msgid "Checking iptables\n" + msgstr "" + +-#: src/backend_iptables.py:252 ++#: src/backend_iptables.py:255 + msgid "Checking ip6tables\n" + msgstr "" + +-#: src/backend_iptables.py:255 src/backend_iptables.py:495 ++#: src/backend_iptables.py:258 src/backend_iptables.py:501 + msgid "problem running" + msgstr "" + +-#: src/backend_iptables.py:261 ++#: src/backend_iptables.py:264 + msgid "Status: inactive" + msgstr "" + +-#: src/backend_iptables.py:397 ++#: src/backend_iptables.py:400 + msgid "To" + msgstr "" + +-#: src/backend_iptables.py:398 ++#: src/backend_iptables.py:401 + msgid "From" + msgstr "" + +-#: src/backend_iptables.py:399 ++#: src/backend_iptables.py:402 + msgid "Action" + msgstr "" + +-#: src/backend_iptables.py:415 ++#: src/backend_iptables.py:418 + msgid "\n" + msgstr "" + +-#: src/backend_iptables.py:423 ++#: src/backend_iptables.py:426 + #, python-format + msgid "Default: %(in)s (incoming), %(out)s (outgoing)" + msgstr "" + +-#: src/backend_iptables.py:427 ++#: src/backend_iptables.py:430 + #, python-format + msgid "" + "Status: active\n" +@@ -176,174 +176,174 @@ msgid "" + "%(app)s%(status)s" + msgstr "" + +-#: src/backend_iptables.py:431 ++#: src/backend_iptables.py:434 + #, python-format + msgid "Status: active%s" + msgstr "" + +-#: src/backend_iptables.py:436 src/backend_iptables.py:446 ++#: src/backend_iptables.py:439 src/backend_iptables.py:449 + msgid "running ufw-init" + msgstr "" + +-#: src/backend_iptables.py:440 src/backend_iptables.py:450 ++#: src/backend_iptables.py:443 src/backend_iptables.py:453 + #, python-format + msgid "" + "problem running ufw-init\n" + "%s" + msgstr "" + +-#: src/backend_iptables.py:459 ++#: src/backend_iptables.py:462 + msgid "Could not set LOGLEVEL" + msgstr "" + +-#: src/backend_iptables.py:465 ++#: src/backend_iptables.py:468 + msgid "Could not load logging rules" + msgstr "" + +-#: src/backend_iptables.py:617 src/backend.py:229 ++#: src/backend_iptables.py:623 src/backend.py:246 + #, python-format + msgid "Couldn't open '%s' for reading" + msgstr "" + +-#: src/backend_iptables.py:626 ++#: src/backend_iptables.py:632 + #, python-format + msgid "Skipping malformed tuple (bad length): %s" + msgstr "" + +-#: src/backend_iptables.py:657 ++#: src/backend_iptables.py:663 + #, python-format + msgid "Skipping malformed tuple: %s" + msgstr "" + +-#: src/backend_iptables.py:679 src/backend.py:260 ++#: src/backend_iptables.py:685 src/backend.py:277 + #, python-format + msgid "'%s' is not writable" + msgstr "" + +-#: src/backend_iptables.py:837 ++#: src/backend_iptables.py:850 + msgid "Adding IPv6 rule failed: IPv6 not enabled" + msgstr "" + +-#: src/backend_iptables.py:841 ++#: src/backend_iptables.py:854 + #, python-format + msgid "Skipping unsupported IPv6 '%s' rule" + msgstr "" + +-#: src/backend_iptables.py:845 ++#: src/backend_iptables.py:858 + #, python-format + msgid "Skipping unsupported IPv4 '%s' rule" + msgstr "" + +-#: src/backend_iptables.py:848 ++#: src/backend_iptables.py:861 + msgid "Must specify 'tcp' or 'udp' with multiple ports" + msgstr "" + +-#: src/backend_iptables.py:860 ++#: src/backend_iptables.py:873 + msgid "Skipping IPv6 application rule. Need at least iptables 1.4" + msgstr "" + +-#: src/backend_iptables.py:865 ++#: src/backend_iptables.py:878 + #, python-format + msgid "Invalid position '%d'" + msgstr "" + +-#: src/backend_iptables.py:869 ++#: src/backend_iptables.py:882 + msgid "Cannot specify insert and delete" + msgstr "" + +-#: src/backend_iptables.py:872 ++#: src/backend_iptables.py:885 + #, python-format + msgid "Cannot insert rule at position '%d'" + msgstr "" + +-#: src/backend_iptables.py:930 ++#: src/backend_iptables.py:943 + msgid "Skipping inserting existing rule" + msgstr "" + +-#: src/backend_iptables.py:941 src/frontend.py:386 ++#: src/backend_iptables.py:954 src/frontend.py:388 + msgid "Could not delete non-existent rule" + msgstr "" + +-#: src/backend_iptables.py:946 ++#: src/backend_iptables.py:959 + msgid "Skipping adding existing rule" + msgstr "" + +-#: src/backend_iptables.py:962 ++#: src/backend_iptables.py:975 + msgid "Couldn't update rules file" + msgstr "" + +-#: src/backend_iptables.py:967 ++#: src/backend_iptables.py:980 + msgid "Rules updated" + msgstr "" + +-#: src/backend_iptables.py:969 ++#: src/backend_iptables.py:982 + msgid "Rules updated (v6)" + msgstr "" + +-#: src/backend_iptables.py:977 ++#: src/backend_iptables.py:990 + msgid "Rule inserted" + msgstr "" + +-#: src/backend_iptables.py:979 ++#: src/backend_iptables.py:992 + msgid "Rule updated" + msgstr "" + +-#: src/backend_iptables.py:989 ++#: src/backend_iptables.py:1002 + msgid " (skipped reloading firewall)" + msgstr "" + +-#: src/backend_iptables.py:992 ++#: src/backend_iptables.py:1005 + msgid "Rule deleted" + msgstr "" + +-#: src/backend_iptables.py:995 ++#: src/backend_iptables.py:1008 + msgid "Rule added" + msgstr "" + +-#: src/backend_iptables.py:1010 src/backend_iptables.py:1098 ++#: src/backend_iptables.py:1023 src/backend_iptables.py:1114 + msgid "Could not update running firewall" + msgstr "" + +-#: src/backend_iptables.py:1065 ++#: src/backend_iptables.py:1078 + #, python-format + msgid "Could not perform '%s'" + msgstr "" + +-#: src/backend_iptables.py:1089 ++#: src/backend_iptables.py:1105 + msgid "Couldn't update rules file for logging" + msgstr "" + +-#: src/backend_iptables.py:1147 src/backend.py:578 ++#: src/backend_iptables.py:1163 src/backend.py:595 + #, python-format + msgid "Invalid log level '%s'" + msgstr "" + +-#: src/backend_iptables.py:1244 ++#: src/backend_iptables.py:1260 + #, python-format + msgid "Could not find '%s'. Aborting" + msgstr "" + +-#: src/backend_iptables.py:1256 ++#: src/backend_iptables.py:1272 + #, python-format + msgid "'%s' already exists. Aborting" + msgstr "" + +-#: src/backend_iptables.py:1262 ++#: src/backend_iptables.py:1278 + #, python-format + msgid "Backing up '%(old)s' to '%(new)s'\n" + msgstr "" + +-#: src/backend_iptables.py:1278 src/backend.py:185 ++#: src/backend_iptables.py:1294 src/backend.py:202 + #, python-format + msgid "Couldn't stat '%s'" + msgstr "" + +-#: src/backend_iptables.py:1283 ++#: src/backend_iptables.py:1299 + #, python-format + msgid "WARN: '%s' is world writable" + msgstr "" + +-#: src/backend_iptables.py:1285 ++#: src/backend_iptables.py:1301 + #, python-format + msgid "WARN: '%s' is world readable" + msgstr "" +@@ -352,102 +352,102 @@ msgstr "" + msgid "Couldn't determine iptables version" + msgstr "" + +-#: src/backend.py:138 ++#: src/backend.py:155 + msgid "Checks disabled" + msgstr "" + +-#: src/backend.py:144 ++#: src/backend.py:161 + msgid "ERROR: this script should not be SUID" + msgstr "" + +-#: src/backend.py:147 ++#: src/backend.py:164 + msgid "ERROR: this script should not be SGID" + msgstr "" + +-#: src/backend.py:152 ++#: src/backend.py:169 + msgid "You need to be root to run this script" + msgstr "" + +-#: src/backend.py:162 ++#: src/backend.py:179 + #, python-format + msgid "'%s' does not exist" + msgstr "" + +-#: src/backend.py:191 ++#: src/backend.py:208 + #, python-format + msgid "uid is %(uid)s but '%(path)s' is owned by %(st_uid)s" + msgstr "" + +-#: src/backend.py:198 ++#: src/backend.py:215 + #, python-format + msgid "%s is world writable!" + msgstr "" + +-#: src/backend.py:202 ++#: src/backend.py:219 + #, python-format + msgid "%s is group writable!" + msgstr "" + +-#: src/backend.py:218 ++#: src/backend.py:235 + #, python-format + msgid "'%(f)s' file '%(name)s' does not exist" + msgstr "" + +-#: src/backend.py:243 ++#: src/backend.py:260 + #, python-format + msgid "Missing policy for '%s'" + msgstr "" + +-#: src/backend.py:247 ++#: src/backend.py:264 + #, python-format + msgid "Invalid policy '%(policy)s' for '%(chain)s'" + msgstr "" + +-#: src/backend.py:254 ++#: src/backend.py:271 + msgid "Invalid option" + msgstr "" + +-#: src/backend.py:325 ++#: src/backend.py:342 + #, python-format + msgid "Default application policy changed to '%s'" + msgstr "" + +-#: src/backend.py:407 ++#: src/backend.py:424 + msgid "No rules found for application profile" + msgstr "" + +-#: src/backend.py:466 ++#: src/backend.py:483 + #, python-format + msgid "Rules updated for profile '%s'" + msgstr "" + +-#: src/backend.py:472 ++#: src/backend.py:489 + msgid "Couldn't update application rules" + msgstr "" + +-#: src/backend.py:494 ++#: src/backend.py:511 + #, python-format + msgid "Found multiple matches for '%s'. Please use exact profile name" + msgstr "" + +-#: src/backend.py:496 ++#: src/backend.py:513 + #, python-format + msgid "Could not find a profile matching '%s'" + msgstr "" + +-#: src/backend.py:562 ++#: src/backend.py:579 + msgid "Logging: " + msgstr "" + +-#: src/backend.py:566 ++#: src/backend.py:583 + msgid "unknown" + msgstr "" + +-#: src/backend.py:596 ++#: src/backend.py:613 + msgid "Logging disabled" + msgstr "" + +-#: src/backend.py:598 ++#: src/backend.py:615 + msgid "Logging enabled" + msgstr "" + +@@ -526,6 +526,7 @@ msgid "" + " %(limit)-31s add limit %(rule)s\n" + " %(delete)-31s delete %(urule)s\n" + " %(insert)-31s insert %(urule)s at %(number)s\n" ++" %(reload)-31s reload firewall\n" + " %(reset)-31s reset firewall\n" + " %(status)-31s show firewall status\n" + " %(statusnum)-31s show firewall status as numbered list of %(rules)s\n" +@@ -540,87 +541,87 @@ msgid "" + " %(appdefault)-31s set default application policy\n" + msgstr "" + +-#: src/frontend.py:160 ++#: src/frontend.py:162 + msgid "n" + msgstr "" + +-#: src/frontend.py:161 ++#: src/frontend.py:163 + msgid "y" + msgstr "" + +-#: src/frontend.py:162 ++#: src/frontend.py:164 + msgid "yes" + msgstr "" + +-#: src/frontend.py:207 ++#: src/frontend.py:209 + msgid "Firewall is active and enabled on system startup" + msgstr "" + +-#: src/frontend.py:214 ++#: src/frontend.py:216 + msgid "Firewall stopped and disabled on system startup" + msgstr "" + +-#: src/frontend.py:265 ++#: src/frontend.py:267 + msgid "Could not get listening status" + msgstr "" + +-#: src/frontend.py:326 ++#: src/frontend.py:328 + msgid "Added user rules (see 'ufw status' for running firewall):" + msgstr "" + +-#: src/frontend.py:329 ++#: src/frontend.py:331 + msgid "" + "\n" + "(None)" + msgstr "" + +-#: src/frontend.py:381 src/frontend.py:479 src/frontend.py:489 ++#: src/frontend.py:383 src/frontend.py:481 src/frontend.py:491 + #, python-format + msgid "Invalid IP version '%s'" + msgstr "" + +-#: src/frontend.py:412 ++#: src/frontend.py:414 + msgid "Invalid position '" + msgstr "" + +-#: src/frontend.py:486 ++#: src/frontend.py:488 + msgid "IPv6 support not enabled" + msgstr "" + +-#: src/frontend.py:497 ++#: src/frontend.py:499 + msgid "Rule changed after normalization" + msgstr "" + +-#: src/frontend.py:521 ++#: src/frontend.py:523 + #, python-format + msgid "Could not back out rule '%s'" + msgstr "" + +-#: src/frontend.py:525 ++#: src/frontend.py:527 + msgid "" + "\n" + "Error applying application rules." + msgstr "" + +-#: src/frontend.py:527 ++#: src/frontend.py:529 + msgid " Some rules could not be unapplied." + msgstr "" + +-#: src/frontend.py:529 ++#: src/frontend.py:531 + msgid " Attempted rules successfully unapplied." + msgstr "" + +-#: src/frontend.py:540 ++#: src/frontend.py:542 + #, python-format + msgid "Could not find rule '%s'" + msgstr "" + +-#: src/frontend.py:545 src/frontend.py:550 ++#: src/frontend.py:547 src/frontend.py:552 + #, python-format + msgid "Could not find rule '%d'" + msgstr "" + +-#: src/frontend.py:562 ++#: src/frontend.py:564 + #, python-format + msgid "" + "Deleting:\n" +@@ -628,93 +629,93 @@ msgid "" + "Proceed with operation (%(yes)s|%(no)s)? " + msgstr "" + +-#: src/frontend.py:593 ++#: src/frontend.py:595 + msgid "Unsupported default policy" + msgstr "" + +-#: src/frontend.py:622 src/frontend.py:767 ++#: src/frontend.py:624 src/frontend.py:769 + msgid "Firewall reloaded" + msgstr "" + +-#: src/frontend.py:624 ++#: src/frontend.py:626 + msgid "Firewall not enabled (skipping reload)" + msgstr "" + +-#: src/frontend.py:641 src/frontend.py:655 src/frontend.py:692 ++#: src/frontend.py:643 src/frontend.py:657 src/frontend.py:694 + msgid "Invalid profile name" + msgstr "" + +-#: src/frontend.py:660 src/frontend.py:842 ++#: src/frontend.py:662 src/frontend.py:844 + #, python-format + msgid "Unsupported action '%s'" + msgstr "" + +-#: src/frontend.py:679 ++#: src/frontend.py:681 + msgid "Available applications:" + msgstr "" + +-#: src/frontend.py:700 ++#: src/frontend.py:702 + #, python-format + msgid "Could not find profile '%s'" + msgstr "" + +-#: src/frontend.py:705 ++#: src/frontend.py:707 + msgid "Invalid profile" + msgstr "" + +-#: src/frontend.py:708 ++#: src/frontend.py:710 + #, python-format + msgid "Profile: %s\n" + msgstr "" + +-#: src/frontend.py:709 ++#: src/frontend.py:711 + #, python-format + msgid "Title: %s\n" + msgstr "" + +-#: src/frontend.py:712 ++#: src/frontend.py:714 + #, python-format + msgid "" + "Description: %s\n" + "\n" + msgstr "" + +-#: src/frontend.py:718 ++#: src/frontend.py:720 + msgid "Ports:" + msgstr "" + +-#: src/frontend.py:720 ++#: src/frontend.py:722 + msgid "Port:" + msgstr "" + +-#: src/frontend.py:769 ++#: src/frontend.py:771 + msgid "Skipped reloading firewall" + msgstr "" + +-#: src/frontend.py:779 ++#: src/frontend.py:781 + msgid "Cannot specify 'all' with '--add-new'" + msgstr "" + +-#: src/frontend.py:794 ++#: src/frontend.py:796 + #, python-format + msgid "Unknown policy '%s'" + msgstr "" + +-#: src/frontend.py:851 ++#: src/frontend.py:853 + #, python-format + msgid "" + "Command may disrupt existing ssh connections. Proceed with operation " + "(%(yes)s|%(no)s)? " + msgstr "" + +-#: src/frontend.py:864 ++#: src/frontend.py:866 + #, python-format + msgid "" + "Resetting all rules to installed defaults. Proceed with operation (%(yes)s|" + "%(no)s)? " + msgstr "" + +-#: src/frontend.py:868 ++#: src/frontend.py:870 + #, python-format + msgid "" + "Resetting all rules to installed defaults. This may disrupt existing ssh " +diff --git a/setup.py b/setup.py +index 6fb3751..1685401 100644 +--- a/setup.py ++++ b/setup.py +@@ -35,7 +35,7 @@ import sys + import shutil + import subprocess + +-ufw_version = '0.33' ++ufw_version = '0.34' + + def cmd(command): + '''Try to execute the given command.''' +diff --git a/src/backend_iptables.py b/src/backend_iptables.py +index 76d8515..478e35c 100644 +--- a/src/backend_iptables.py ++++ b/src/backend_iptables.py +@@ -564,7 +564,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \ + policy) + if not pat_logall.search(s): +- lstr = '-m state --state NEW ' + lstr ++ lstr = '-m conntrack --ctstate NEW ' + lstr + snippets[i] = pat_log.sub(r'\1-j \2\4', s) + snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \ + '-user-logging-' + suffix, s)) +@@ -580,9 +580,9 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + pat_limit = re.compile(r' -j LIMIT') + for i, s in enumerate(snippets): + if pat_limit.search(s): +- tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \ ++ tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \ + s) +- tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \ ++ tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \ + ' --update --seconds 30 --hitcount 6' + \ + ' -j ' + prefix + '-user-limit', s) + tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s) +@@ -1212,12 +1212,12 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + prefix = "[UFW BLOCK] " + if self.loglevels[level] < self.loglevels["medium"]: + # only log INVALID in medium and higher +- rules_t.append([c, ['-I', c, '-m', 'state', \ +- '--state', 'INVALID', \ ++ rules_t.append([c, ['-I', c, '-m', 'conntrack', \ ++ '--ctstate', 'INVALID', \ + '-j', 'RETURN'] + largs, '']) + else: +- rules_t.append([c, ['-A', c, '-m', 'state', \ +- '--state', 'INVALID', \ ++ rules_t.append([c, ['-A', c, '-m', 'conntrack', \ ++ '--ctstate', 'INVALID', \ + '-j', 'LOG', \ + '--log-prefix', \ + "[UFW AUDIT INVALID] "] + \ +@@ -1236,7 +1236,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + + # loglevel medium logs all new packets with limit + if self.loglevels[level] < self.loglevels["high"]: +- largs = ['-m', 'state', '--state', 'NEW'] + limit_args ++ largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args + + prefix = "[UFW AUDIT] " + for c in self.chains['before']: +diff --git a/src/ufw-init-functions b/src/ufw-init-functions +index f4783e7..c5e0319 100755 +--- a/src/ufw-init-functions ++++ b/src/ufw-init-functions +@@ -251,15 +251,15 @@ ufw_start() { + # add tracking policy + if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then + printf "*filter\n"\ +-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\ +-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ + "COMMIT\n" | $exe-restore -n || error="yes" + fi + + if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then + printf "*filter\n"\ +-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\ +-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ + "COMMIT\n" | $exe-restore -n || error="yes" + fi + +diff --git a/src/util.py b/src/util.py +index fe9cd5c..bf0a6f6 100644 +--- a/src/util.py ++++ b/src/util.py +@@ -737,12 +737,12 @@ def get_netfilter_capabilities(exe="/sbin/iptables"): + # the stuff we know isn't supported everywhere but we want to support. + + # recent-set +- if test_cap(exe, chain, ['-m', 'state', '--state', 'NEW', \ ++ if test_cap(exe, chain, ['-m', 'conntrack', '--ctstate', 'NEW', \ + '-m', 'recent', '--set']): + caps.append('recent-set') + + # recent-update +- if test_cap(exe, chain, ['-m', 'state', '--state', 'NEW', \ ++ if test_cap(exe, chain, ['-m', 'conntrack', '--ctstate', 'NEW', \ + '-m', 'recent', '--update', \ + '--seconds', '30', \ + '--hitcount', '6']): +diff --git a/tests/bugs/rules/result b/tests/bugs/rules/result +index af2879a..396ff4c 100644 +--- a/tests/bugs/rules/result ++++ b/tests/bugs/rules/result +@@ -28,7 +28,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -73,7 +73,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/check-requirements b/tests/check-requirements +index 613a3c8..ffbe9fc 100755 +--- a/tests/check-requirements ++++ b/tests/check-requirements +@@ -172,24 +172,24 @@ for i in "" 6; do + done + + echo -n "hashlimit: " +- runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT ++ runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT + + echo -n "limit: " + runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT + + for j in NEW RELATED ESTABLISHED INVALID; do + echo -n "state ($j): " +- runcmd $exe -A $c -m state --state $j ++ runcmd $exe -A $c -m conntrack --ctstate $j + done + + echo -n "state (new, recent set): " +- runcmd runtime $exe -A $c -m state --state NEW -m recent --set ++ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --set + + echo -n "state (new, recent update): " +- runcmd runtime $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT ++ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT + + echo -n "state (new, limit): " +- runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT ++ runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT + + echo -n "interface (input): " + runcmd $exe -A $c -i eth0 -j ACCEPT +diff --git a/tests/good/apps/result b/tests/good/apps/result +index c6988b0..8b477c2 100644 +--- a/tests/good/apps/result ++++ b/tests/good/apps/result +@@ -717,7 +717,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -760,7 +760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -803,7 +803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -847,7 +847,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -890,7 +890,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -931,7 +931,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -974,7 +974,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1017,7 +1017,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1060,7 +1060,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1103,7 +1103,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1146,7 +1146,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1189,7 +1189,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1232,7 +1232,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1276,7 +1276,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1319,7 +1319,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1360,7 +1360,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1403,7 +1403,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1446,7 +1446,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1489,7 +1489,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1532,7 +1532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1568,8 +1568,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -1577,7 +1577,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1613,8 +1613,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -1622,7 +1622,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1658,8 +1658,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -1667,7 +1667,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1703,11 +1703,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -1715,7 +1715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1751,8 +1751,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1760,7 +1760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1791,13 +1791,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1805,7 +1805,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1841,8 +1841,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -1850,7 +1850,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1886,8 +1886,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -1895,7 +1895,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1931,8 +1931,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -1940,7 +1940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1976,8 +1976,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080:8089 0.0.0.0/0 any 0.0.0.0/0 Custom%20Web%20App2 - in +--A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m state --state NEW -m recent --set -m comment --comment 'dapp_Custom%20Web%20App2' +--A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Custom%20Web%20App2' ++-A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Custom%20Web%20App2' ++-A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Custom%20Web%20App2' + -A ufw-user-input -p tcp -m multiport --dports 8080:8089 -j ufw-user-limit-accept -m comment --comment 'dapp_Custom%20Web%20App2' + + ### END RULES ### +@@ -1985,7 +1985,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2029,7 +2029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2072,7 +2072,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2115,7 +2115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2159,7 +2159,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2202,7 +2202,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2243,7 +2243,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2286,7 +2286,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2329,7 +2329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2372,7 +2372,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2415,7 +2415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2458,7 +2458,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2501,7 +2501,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2545,7 +2545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2588,7 +2588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2629,7 +2629,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2672,7 +2672,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2715,7 +2715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2758,7 +2758,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2801,7 +2801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2844,7 +2844,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2887,7 +2887,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2931,7 +2931,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2974,7 +2974,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3015,7 +3015,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3058,7 +3058,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3101,7 +3101,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3144,7 +3144,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3187,7 +3187,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3230,7 +3230,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3273,7 +3273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3317,7 +3317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3360,7 +3360,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3401,7 +3401,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3444,7 +3444,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3487,7 +3487,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3530,7 +3530,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3573,7 +3573,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3616,7 +3616,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3659,7 +3659,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3700,7 +3700,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3743,7 +3743,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3784,7 +3784,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3827,7 +3827,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3870,7 +3870,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3913,7 +3913,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3956,7 +3956,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3997,7 +3997,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4040,7 +4040,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4081,7 +4081,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4124,7 +4124,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4167,7 +4167,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4208,7 +4208,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4251,7 +4251,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4294,7 +4294,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4337,7 +4337,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4378,7 +4378,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4421,7 +4421,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4462,7 +4462,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4505,7 +4505,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4548,7 +4548,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4591,7 +4591,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4634,7 +4634,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4675,7 +4675,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4718,7 +4718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4759,7 +4759,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4802,7 +4802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4845,7 +4845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4886,7 +4886,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4929,7 +4929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4972,7 +4972,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5015,7 +5015,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5059,7 +5059,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5102,7 +5102,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5143,7 +5143,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5186,7 +5186,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5229,7 +5229,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5272,7 +5272,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5315,7 +5315,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5358,7 +5358,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5401,7 +5401,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5445,7 +5445,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5488,7 +5488,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5529,7 +5529,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5572,7 +5572,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5615,7 +5615,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5658,7 +5658,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5701,7 +5701,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5744,7 +5744,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5787,7 +5787,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5831,7 +5831,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5874,7 +5874,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5915,7 +5915,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5958,7 +5958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6001,7 +6001,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6044,7 +6044,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6087,7 +6087,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6130,7 +6130,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6173,7 +6173,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6217,7 +6217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6260,7 +6260,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6301,7 +6301,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6344,7 +6344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6387,7 +6387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6430,7 +6430,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6473,7 +6473,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6516,7 +6516,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6559,7 +6559,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6600,7 +6600,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6643,7 +6643,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6684,7 +6684,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6727,7 +6727,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6770,7 +6770,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6813,7 +6813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6856,7 +6856,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6897,7 +6897,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6940,7 +6940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6981,7 +6981,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7024,7 +7024,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7067,7 +7067,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7108,7 +7108,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7151,7 +7151,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7194,7 +7194,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7237,7 +7237,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7278,7 +7278,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7321,7 +7321,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7362,7 +7362,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7405,7 +7405,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7448,7 +7448,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7491,7 +7491,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7534,7 +7534,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7575,7 +7575,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7618,7 +7618,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7659,7 +7659,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7702,7 +7702,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7745,7 +7745,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7786,7 +7786,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7822,8 +7822,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.0/16 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -7831,7 +7831,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7867,8 +7867,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 192.168.0.0/16 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -7876,7 +7876,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7912,8 +7912,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 192.168.0.0/16 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -7921,7 +7921,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7957,11 +7957,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 192.168.0.0/16 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -7969,7 +7969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8005,8 +8005,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8014,7 +8014,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8045,13 +8045,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8059,7 +8059,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8095,8 +8095,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 192.168.0.0/16 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -8104,7 +8104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8140,8 +8140,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 192.168.0.0/16 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -8149,7 +8149,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8185,8 +8185,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 192.168.0.0/16 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -8194,7 +8194,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8230,8 +8230,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -8239,7 +8239,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8275,8 +8275,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -8284,7 +8284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8320,8 +8320,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -8329,7 +8329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8365,11 +8365,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -8377,7 +8377,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8413,8 +8413,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8422,7 +8422,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8453,13 +8453,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8467,7 +8467,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8503,8 +8503,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -8512,7 +8512,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8548,8 +8548,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -8557,7 +8557,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8593,8 +8593,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -8602,7 +8602,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8638,8 +8638,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.0/16 - Apache in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -8647,7 +8647,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8683,8 +8683,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 443 192.168.0.0/16 - Apache%20Secure in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Secure' + + ### END RULES ### +@@ -8692,7 +8692,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8728,8 +8728,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80,443 192.168.0.0/16 - Apache%20Full in +--A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Full' + + ### END RULES ### +@@ -8737,7 +8737,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8773,11 +8773,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 53 192.168.0.0/16 - Bind9 in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' + + ### END RULES ### +@@ -8785,7 +8785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8821,8 +8821,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 192.168.0.0/16 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -8830,7 +8830,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8861,13 +8861,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 192.168.0.0/16 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 192.168.0.0/16 - Samba in +--A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -8875,7 +8875,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8911,8 +8911,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 123 192.168.0.0/16 - OpenNTPD in +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -8920,7 +8920,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8956,8 +8956,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 1234,5678 192.168.0.0/16 - Multi%20TCP in +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20TCP' + + ### END RULES ### +@@ -8965,7 +8965,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9001,8 +9001,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 1234,5678 192.168.0.0/16 - Multi%20UDP in +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20UDP' + + ### END RULES ### +@@ -9010,7 +9010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9046,8 +9046,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 0.0.0.0/0 - Apache in +--A ufw-user-input -p tcp --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -9055,7 +9055,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9091,8 +9091,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 443 0.0.0.0/0 - Apache%20Secure in +--A ufw-user-input -p tcp --sport 443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' +--A ufw-user-input -p tcp --sport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp --sport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp --sport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' + -A ufw-user-input -p tcp --sport 443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Secure' + + ### END RULES ### +@@ -9100,7 +9100,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9136,8 +9136,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80,443 0.0.0.0/0 - Apache%20Full in +--A ufw-user-input -p tcp -m multiport --sports 80,443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --sports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --sports 80,443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Full' + + ### END RULES ### +@@ -9145,7 +9145,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9181,11 +9181,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 53 0.0.0.0/0 - Bind9 in +--A ufw-user-input -p tcp --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p tcp --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p tcp --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p udp --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' + + ### END RULES ### +@@ -9193,7 +9193,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9229,8 +9229,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9238,7 +9238,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9269,13 +9269,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 0.0.0.0/0 - Samba in +--A ufw-user-input -p tcp -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9283,7 +9283,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9319,8 +9319,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 123 0.0.0.0/0 - OpenNTPD in +--A ufw-user-input -p udp --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -9328,7 +9328,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9364,8 +9364,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 1234,5678 0.0.0.0/0 - Multi%20TCP in +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --sports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20TCP' + + ### END RULES ### +@@ -9373,7 +9373,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9409,8 +9409,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 1234,5678 0.0.0.0/0 - Multi%20UDP in +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --sports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20UDP' + + ### END RULES ### +@@ -9418,7 +9418,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9454,8 +9454,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080 192.168.0.2 80 192.168.0.1 - Apache in +--A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -9463,7 +9463,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9499,8 +9499,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 10123 192.168.0.2 123 192.168.0.1 - OpenNTPD in +--A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -9508,7 +9508,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9544,8 +9544,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 53 192.168.0.2 137,138 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -9553,7 +9553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9584,13 +9584,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 53 192.168.0.2 137,138 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### tuple ### limit tcp 53 192.168.0.2 139,445 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -9598,7 +9598,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9634,8 +9634,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 22 192.168.0.2 137,138 192.168.0.1 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9643,7 +9643,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9674,13 +9674,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 22 192.168.0.2 137,138 192.168.0.1 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp 22 192.168.0.2 139,445 192.168.0.1 - Samba in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9688,7 +9688,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9724,8 +9724,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 192.168.0.2 80 192.168.0.1 Apache%20Full Apache in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + + ### END RULES ### +@@ -9733,7 +9733,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9769,8 +9769,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.1 8080 192.168.0.2 Apache - in +--A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -9778,7 +9778,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9814,8 +9814,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 192.168.0.1 10123 192.168.0.2 OpenNTPD - in +--A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -9823,7 +9823,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9859,8 +9859,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -9868,7 +9868,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9899,13 +9899,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### tuple ### limit tcp 139,445 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -9913,7 +9913,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9949,8 +9949,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -9958,7 +9958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9989,13 +9989,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10003,7 +10003,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10039,8 +10039,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.1 80,443 192.168.0.2 Apache Apache%20Full in +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + + ### END RULES ### +@@ -10048,7 +10048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10084,8 +10084,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10093,7 +10093,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10124,13 +10124,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10138,7 +10138,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10174,8 +10174,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080 0.0.0.0/0 80 0.0.0.0/0 - Apache in +--A ufw-user-input -p tcp --dport 8080 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp --dport 8080 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --dport 8080 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --dport 8080 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp --dport 8080 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -10183,7 +10183,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10219,8 +10219,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 10123 0.0.0.0/0 123 0.0.0.0/0 - OpenNTPD in +--A ufw-user-input -p udp --dport 10123 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp --dport 10123 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 10123 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 10123 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp --dport 10123 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -10228,7 +10228,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10264,8 +10264,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 53 0.0.0.0/0 137,138 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -10273,7 +10273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10304,13 +10304,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 53 0.0.0.0/0 137,138 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### tuple ### limit tcp 53 0.0.0.0/0 139,445 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -10318,7 +10318,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10354,8 +10354,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 22 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -10363,7 +10363,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10394,13 +10394,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 22 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp 22 0.0.0.0/0 139,445 0.0.0.0/0 - Samba in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -10408,7 +10408,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10444,8 +10444,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 80 0.0.0.0/0 Apache%20Full Apache in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + + ### END RULES ### +@@ -10453,7 +10453,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10489,8 +10489,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 8080 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 --sport 8080 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 --sport 8080 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 --sport 8080 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 --sport 8080 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 --sport 8080 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -10498,7 +10498,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10534,8 +10534,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 10123 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 --sport 10123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 --sport 10123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 --sport 10123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 --sport 10123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 --sport 10123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -10543,7 +10543,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10579,8 +10579,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -10588,7 +10588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10619,13 +10619,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -10633,7 +10633,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10669,8 +10669,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10678,7 +10678,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10709,13 +10709,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10723,7 +10723,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10759,8 +10759,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 80,443 0.0.0.0/0 Apache Apache%20Full in +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + + ### END RULES ### +@@ -10768,7 +10768,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10804,8 +10804,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 137,138 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10813,7 +10813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10844,13 +10844,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 137,138 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 139,445 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10858,7 +10858,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10902,7 +10902,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10945,7 +10945,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10994,7 +10994,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11042,7 +11042,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11083,7 +11083,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11140,7 +11140,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11181,7 +11181,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11252,7 +11252,7 @@ TESTING INSERT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11299,7 +11299,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11389,7 +11389,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11445,7 +11445,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11508,7 +11508,7 @@ TESTING APPLICATION INTEGRATION (interfaces) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11552,7 +11552,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11614,7 +11614,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11658,7 +11658,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11698,33 +11698,33 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit udp any 0.0.0.0/0 137,138 10.0.0.1 - Samba in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 10.0.0.1 - Samba in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -11732,7 +11732,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11776,7 +11776,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11838,7 +11838,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11882,7 +11882,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11942,7 +11942,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11986,7 +11986,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12048,7 +12048,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12092,7 +12092,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12154,7 +12154,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12198,7 +12198,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12238,33 +12238,33 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit udp any 0.0.0.0/0 137,138 10.0.0.1 - Samba out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 10.0.0.1 - Samba out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -12272,7 +12272,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12316,7 +12316,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12378,7 +12378,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12422,7 +12422,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12482,7 +12482,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12526,7 +12526,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/good/logging/result b/tests/good/logging/result +index 6714e12..4b23f9a 100644 +--- a/tests/good/logging/result ++++ b/tests/good/logging/result +@@ -102,69 +102,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j ACCEPT + + ### tuple ### allow_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j ACCEPT + + ### tuple ### allow_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j ACCEPT -m comment --comment 'dapp_Apache' + + ### tuple ### allow_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ACCEPT + + ### tuple ### allow_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### allow_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -175,12 +175,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -245,12 +245,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -383,12 +383,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -453,12 +453,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -518,69 +518,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j DROP + + ### tuple ### deny_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j DROP + + ### tuple ### deny_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j DROP +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j DROP -m comment --comment 'dapp_Apache' + + ### tuple ### deny_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j DROP + + ### tuple ### deny_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j DROP -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### deny_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j DROP -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -591,12 +591,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -661,12 +661,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -799,12 +799,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -869,12 +869,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -934,95 +934,95 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 69 -j ufw-user-limit-accept + + ### tuple ### limit_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 443 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### tuple ### limit_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -1031,12 +1031,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1101,12 +1101,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1169,92 +1169,92 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all tcp 25 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p tcp --dport 25 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 69 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p udp --dport 69 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 69 -j ufw-user-limit-accept + + ### tuple ### limit_log-all any 443 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p tcp --dport 443 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 443 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 443 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in + -A ufw-user-logging-input -p tcp --dport 80 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### tuple ### limit_log-all tcp 25 10.0.0.1 25 192.168.0.1 in + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -1263,12 +1263,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1333,12 +1333,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1398,69 +1398,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j REJECT --reject-with tcp-reset + + ### tuple ### reject_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j REJECT + + ### tuple ### reject_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Apache' + + ### tuple ### reject_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j REJECT --reject-with tcp-reset + + ### tuple ### reject_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j REJECT -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### reject_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -1471,12 +1471,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1541,12 +1541,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1679,12 +1679,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1749,12 +1749,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1797,13 +1797,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1820,12 +1820,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1867,19 +1867,19 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log-all tcp 23 10.0.0.1 any 192.168.0.1 in +@@ -1894,12 +1894,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1946,12 +1946,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2006,13 +2006,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ACCEPT +@@ -2024,13 +2024,13 @@ contents of user*.rules: + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j DROP + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -A ufw-user-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ACCEPT +@@ -2047,12 +2047,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2163,7 +2163,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2211,12 +2211,12 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2262,7 +2262,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m limit --limit 3/min --limit-burst 10 +@@ -2313,7 +2313,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " +@@ -2364,7 +2364,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " +diff --git a/tests/good/rules/result b/tests/good/rules/result +index 7c1570a..e4b918c 100644 +--- a/tests/good/rules/result ++++ b/tests/good/rules/result +@@ -29,7 +29,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -72,7 +72,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -115,7 +115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -158,7 +158,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -201,7 +201,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -244,7 +244,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -284,7 +284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -320,8 +320,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept + + ### END RULES ### +@@ -329,7 +329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -373,7 +373,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -416,7 +416,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -459,7 +459,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -502,7 +502,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -545,7 +545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -588,7 +588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -631,7 +631,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -676,7 +676,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -719,7 +719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -763,7 +763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -806,7 +806,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -849,7 +849,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -889,7 +889,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -929,7 +929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -969,7 +969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1012,7 +1012,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1052,7 +1052,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1095,7 +1095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1135,7 +1135,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1178,7 +1178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1218,7 +1218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1261,7 +1261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1301,7 +1301,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1345,7 +1345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1385,7 +1385,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1428,7 +1428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1468,7 +1468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1511,7 +1511,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1551,7 +1551,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1595,7 +1595,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1635,7 +1635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1678,7 +1678,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1718,7 +1718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1761,7 +1761,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1801,7 +1801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1845,7 +1845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1885,7 +1885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1929,7 +1929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1969,7 +1969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2013,7 +2013,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2053,7 +2053,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2097,7 +2097,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2137,7 +2137,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2181,7 +2181,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2221,7 +2221,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2264,7 +2264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2304,7 +2304,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2347,7 +2347,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2387,7 +2387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2430,7 +2430,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2470,7 +2470,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2513,7 +2513,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2553,7 +2553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2596,7 +2596,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2636,7 +2636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2679,7 +2679,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2719,7 +2719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2762,7 +2762,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2802,7 +2802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2845,7 +2845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2885,7 +2885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2928,7 +2928,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2968,7 +2968,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3011,7 +3011,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3051,7 +3051,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3094,7 +3094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3134,7 +3134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3177,7 +3177,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3217,7 +3217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3260,7 +3260,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3300,7 +3300,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3344,7 +3344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3384,7 +3384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3428,7 +3428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3468,7 +3468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3512,7 +3512,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3552,7 +3552,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3596,7 +3596,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3636,7 +3636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3680,7 +3680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3720,7 +3720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3763,7 +3763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3803,7 +3803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3846,7 +3846,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3886,7 +3886,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3929,7 +3929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3969,7 +3969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4012,7 +4012,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4052,7 +4052,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4095,7 +4095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4135,7 +4135,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4178,7 +4178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4218,7 +4218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4261,7 +4261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4301,7 +4301,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4344,7 +4344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4384,7 +4384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4427,7 +4427,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4467,7 +4467,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4510,7 +4510,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4550,7 +4550,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4586,8 +4586,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 192.168.0.1 in +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4595,7 +4595,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4635,7 +4635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4671,8 +4671,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4680,7 +4680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4720,7 +4720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4756,8 +4756,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4765,7 +4765,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4805,7 +4805,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4841,11 +4841,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4853,7 +4853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4893,7 +4893,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4929,11 +4929,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4941,7 +4941,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4981,7 +4981,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5017,11 +5017,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5029,7 +5029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5069,7 +5069,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5105,11 +5105,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5117,7 +5117,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5157,7 +5157,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5193,11 +5193,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5205,7 +5205,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5245,7 +5245,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5281,8 +5281,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5290,7 +5290,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5330,7 +5330,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5366,8 +5366,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5375,7 +5375,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5415,7 +5415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5451,8 +5451,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5460,7 +5460,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5500,7 +5500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5536,8 +5536,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5545,7 +5545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5585,7 +5585,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5621,8 +5621,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5630,7 +5630,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5670,7 +5670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5706,8 +5706,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5715,7 +5715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5755,7 +5755,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5791,8 +5791,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5800,7 +5800,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5840,7 +5840,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5876,8 +5876,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5885,7 +5885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5925,7 +5925,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5961,8 +5961,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5970,7 +5970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6010,7 +6010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6046,8 +6046,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -6055,7 +6055,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6095,7 +6095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6139,7 +6139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6179,7 +6179,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6222,7 +6222,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6262,7 +6262,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6305,7 +6305,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6345,7 +6345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6388,7 +6388,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6428,7 +6428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6471,7 +6471,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6511,7 +6511,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6554,7 +6554,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6594,7 +6594,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6637,7 +6637,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6677,7 +6677,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6720,7 +6720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6760,7 +6760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6803,7 +6803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6843,7 +6843,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6886,7 +6886,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6926,7 +6926,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6970,7 +6970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7010,7 +7010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7054,7 +7054,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7094,7 +7094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7138,7 +7138,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7178,7 +7178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7221,7 +7221,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7261,7 +7261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7304,7 +7304,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7344,7 +7344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7387,7 +7387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7427,7 +7427,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7470,7 +7470,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7510,7 +7510,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7553,7 +7553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7593,7 +7593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7636,7 +7636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7676,7 +7676,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7719,7 +7719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7759,7 +7759,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7802,7 +7802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7842,7 +7842,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7885,7 +7885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7925,7 +7925,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7968,7 +7968,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8008,7 +8008,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8051,7 +8051,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8091,7 +8091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8134,7 +8134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8174,7 +8174,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8217,7 +8217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8257,7 +8257,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8300,7 +8300,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8340,7 +8340,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8383,7 +8383,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8423,7 +8423,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8466,7 +8466,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8506,7 +8506,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8550,7 +8550,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8594,7 +8594,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8637,7 +8637,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8680,7 +8680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8724,7 +8724,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8767,7 +8767,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8810,7 +8810,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8854,7 +8854,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8898,7 +8898,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8941,7 +8941,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8984,7 +8984,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9027,7 +9027,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9070,7 +9070,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9113,7 +9113,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9156,7 +9156,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9199,7 +9199,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9242,7 +9242,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9285,7 +9285,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9328,7 +9328,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9371,7 +9371,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9414,7 +9414,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9457,7 +9457,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9500,7 +9500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9543,7 +9543,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9586,7 +9586,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9629,7 +9629,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9672,7 +9672,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9715,7 +9715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9758,7 +9758,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9801,7 +9801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9844,7 +9844,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9887,7 +9887,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9930,7 +9930,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9973,7 +9973,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10016,7 +10016,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10059,7 +10059,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10102,7 +10102,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10145,7 +10145,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10188,7 +10188,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10231,7 +10231,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10274,7 +10274,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10317,7 +10317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10360,7 +10360,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10403,7 +10403,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10446,7 +10446,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10489,7 +10489,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10532,7 +10532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10575,7 +10575,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10618,7 +10618,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10661,7 +10661,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10704,7 +10704,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10747,7 +10747,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10790,7 +10790,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10833,7 +10833,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10876,7 +10876,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10919,7 +10919,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10962,7 +10962,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11005,7 +11005,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11048,7 +11048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11091,7 +11091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11134,7 +11134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11177,7 +11177,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11220,7 +11220,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11263,7 +11263,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11306,7 +11306,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11349,7 +11349,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11392,7 +11392,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11435,7 +11435,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11478,7 +11478,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11521,7 +11521,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11564,7 +11564,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11607,7 +11607,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11650,7 +11650,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11693,7 +11693,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11736,7 +11736,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11779,7 +11779,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11815,8 +11815,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11824,7 +11824,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11860,8 +11860,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11869,7 +11869,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11905,8 +11905,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11914,7 +11914,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11950,8 +11950,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11959,7 +11959,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11995,8 +11995,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1,9 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 1,9 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 1,9 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 1,9 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12004,7 +12004,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12040,8 +12040,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12049,7 +12049,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12085,8 +12085,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12094,7 +12094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12130,8 +12130,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12139,7 +12139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12175,8 +12175,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12184,7 +12184,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12220,8 +12220,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1,9 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 1,9 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 1,9 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 1,9 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12229,7 +12229,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12273,7 +12273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12317,7 +12317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12357,7 +12357,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12400,7 +12400,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12440,7 +12440,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12484,7 +12484,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12527,7 +12527,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12570,7 +12570,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12613,7 +12613,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12656,7 +12656,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12706,11 +12706,11 @@ Insert + ### RULES ### + + ### tuple ### allow_log any 9998 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 9998 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 9998 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 9998 -j RETURN + -A ufw-user-input -p tcp --dport 9998 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 9998 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 9998 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 9998 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 9998 -j RETURN + -A ufw-user-input -p udp --dport 9998 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 9998 -j ACCEPT +@@ -12735,7 +12735,7 @@ Insert + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12785,7 +12785,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12908,7 +12908,7 @@ Interfaces + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12982,7 +12982,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13100,7 +13100,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13174,7 +13174,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13244,83 +13244,83 @@ COMMIT + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp 22 192.168.0.1 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 0.0.0.0/0 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp any 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -13328,7 +13328,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13402,7 +13402,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13520,7 +13520,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13594,7 +13594,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13638,7 +13638,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13676,7 +13676,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13794,7 +13794,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13868,7 +13868,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13986,7 +13986,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14060,7 +14060,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14130,83 +14130,83 @@ COMMIT + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp 22 192.168.0.1 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 0.0.0.0/0 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp any 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -14214,7 +14214,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14288,7 +14288,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14406,7 +14406,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14480,7 +14480,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14524,7 +14524,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14562,7 +14562,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14603,7 +14603,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14646,7 +14646,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14690,7 +14690,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14733,7 +14733,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14776,7 +14776,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14819,7 +14819,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/logging/result b/tests/ipv6/logging/result +index dd9c077..afd72dd 100644 +--- a/tests/ipv6/logging/result ++++ b/tests/ipv6/logging/result +@@ -26,23 +26,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -52,7 +52,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -81,23 +81,23 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -107,7 +107,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -143,7 +143,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -176,7 +176,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -209,7 +209,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -238,7 +238,7 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -248,7 +248,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -281,7 +281,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -314,7 +314,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -372,7 +372,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -427,7 +427,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -463,7 +463,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -496,7 +496,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -529,7 +529,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -568,7 +568,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -601,7 +601,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -634,7 +634,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -666,23 +666,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -692,7 +692,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -721,23 +721,23 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -747,7 +747,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -783,7 +783,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -816,7 +816,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -849,7 +849,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -878,7 +878,7 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -888,7 +888,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -921,7 +921,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -954,7 +954,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1012,7 +1012,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1067,7 +1067,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1103,7 +1103,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1136,7 +1136,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1169,7 +1169,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1208,7 +1208,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1241,7 +1241,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1274,7 +1274,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1306,33 +1306,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1340,7 +1340,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1373,7 +1373,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1409,7 +1409,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1442,7 +1442,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1475,7 +1475,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1508,7 +1508,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1541,7 +1541,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1574,7 +1574,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1609,30 +1609,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1640,7 +1640,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1673,7 +1673,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1709,7 +1709,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1742,7 +1742,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1775,7 +1775,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1808,7 +1808,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1841,7 +1841,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1874,7 +1874,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1906,23 +1906,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1932,7 +1932,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1961,23 +1961,23 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1987,7 +1987,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2023,7 +2023,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2056,7 +2056,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2089,7 +2089,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2118,7 +2118,7 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -2128,7 +2128,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2161,7 +2161,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2194,7 +2194,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2252,7 +2252,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2307,7 +2307,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2343,7 +2343,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2376,7 +2376,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2409,7 +2409,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2448,7 +2448,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2481,7 +2481,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2514,7 +2514,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2547,13 +2547,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -2563,7 +2563,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2592,13 +2592,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -2614,7 +2614,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2646,13 +2646,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -2662,7 +2662,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2691,13 +2691,13 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -2713,7 +2713,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2749,7 +2749,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2782,7 +2782,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2827,13 +2827,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT +@@ -2843,7 +2843,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2872,13 +2872,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -A ufw6-user-input -i eth0 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in_eth0 +--A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -2890,13 +2890,13 @@ COMMIT + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -A ufw6-user-output -o eth0 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 out_eth0 +--A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -2912,7 +2912,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/logging/result.1.3 b/tests/ipv6/logging/result.1.3 +index 5b0c26d..036b49e 100644 +--- a/tests/ipv6/logging/result.1.3 ++++ b/tests/ipv6/logging/result.1.3 +@@ -15,23 +15,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -48,11 +48,11 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT +@@ -111,7 +111,7 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -303,23 +303,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -336,11 +336,11 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP +@@ -399,7 +399,7 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -591,33 +591,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -730,30 +730,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -863,23 +863,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -896,11 +896,11 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT +@@ -959,7 +959,7 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -1152,13 +1152,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1198,13 +1198,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -1285,13 +1285,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT +@@ -1308,13 +1308,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -A ufw6-user-input -i eth0 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in_eth0 +--A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -1326,13 +1326,13 @@ COMMIT + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -A ufw6-user-output -o eth0 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 out_eth0 +--A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +diff --git a/tests/ipv6/rules6/result b/tests/ipv6/rules6/result +index 4e6a197..4fd299c 100644 +--- a/tests/ipv6/rules6/result ++++ b/tests/ipv6/rules6/result +@@ -26,7 +26,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -62,7 +62,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -94,7 +94,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -129,7 +129,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -161,7 +161,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -196,7 +196,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -228,7 +228,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -264,7 +264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -296,7 +296,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -332,7 +332,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -364,7 +364,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -400,7 +400,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -432,7 +432,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -468,7 +468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -500,7 +500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -536,7 +536,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -568,7 +568,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -603,7 +603,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -635,7 +635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -670,7 +670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -702,7 +702,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -737,7 +737,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -769,7 +769,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -804,7 +804,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -836,7 +836,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -871,7 +871,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -903,7 +903,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -938,7 +938,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -970,7 +970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1005,7 +1005,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1037,7 +1037,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1072,7 +1072,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1104,7 +1104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1139,7 +1139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1171,7 +1171,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1206,7 +1206,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1238,7 +1238,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1273,7 +1273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1305,7 +1305,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1340,7 +1340,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1372,7 +1372,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1408,7 +1408,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1440,7 +1440,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1475,7 +1475,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1507,7 +1507,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1542,7 +1542,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1574,7 +1574,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1609,7 +1609,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1641,7 +1641,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1677,7 +1677,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1709,7 +1709,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1745,7 +1745,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1777,7 +1777,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1813,7 +1813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1845,7 +1845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1881,7 +1881,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1913,7 +1913,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1949,7 +1949,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1981,7 +1981,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2016,7 +2016,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2048,7 +2048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2083,7 +2083,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2115,7 +2115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2150,7 +2150,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2182,7 +2182,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2217,7 +2217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2249,7 +2249,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2284,7 +2284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2316,7 +2316,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2351,7 +2351,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2383,7 +2383,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2418,7 +2418,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2450,7 +2450,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2485,7 +2485,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2517,7 +2517,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2552,7 +2552,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2584,7 +2584,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2619,7 +2619,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2651,7 +2651,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2686,7 +2686,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2718,7 +2718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2753,7 +2753,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2785,7 +2785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2821,7 +2821,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2853,7 +2853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3099,7 +3099,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3134,7 +3134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3169,7 +3169,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3204,7 +3204,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3239,7 +3239,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3274,7 +3274,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3309,7 +3309,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3345,7 +3345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3380,7 +3380,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3415,7 +3415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3450,7 +3450,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3485,7 +3485,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3520,7 +3520,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3555,7 +3555,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3590,7 +3590,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3625,7 +3625,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3660,7 +3660,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3695,7 +3695,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3730,7 +3730,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3765,7 +3765,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3800,7 +3800,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3835,7 +3835,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3870,7 +3870,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3905,7 +3905,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3940,7 +3940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3975,7 +3975,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4010,7 +4010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4045,7 +4045,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4080,7 +4080,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4115,7 +4115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4150,7 +4150,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4187,7 +4187,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4223,7 +4223,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4261,7 +4261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4297,7 +4297,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4335,7 +4335,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4371,7 +4371,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4409,7 +4409,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4445,7 +4445,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4483,7 +4483,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4519,7 +4519,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4557,7 +4557,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4593,7 +4593,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4631,7 +4631,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4667,7 +4667,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4705,7 +4705,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4741,7 +4741,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4779,7 +4779,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4815,7 +4815,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4853,7 +4853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4889,7 +4889,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4927,7 +4927,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4963,7 +4963,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5001,7 +5001,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5037,7 +5037,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5075,7 +5075,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5111,7 +5111,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5149,7 +5149,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5185,7 +5185,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5223,7 +5223,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5259,7 +5259,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5297,7 +5297,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5333,7 +5333,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5371,7 +5371,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5407,7 +5407,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5445,7 +5445,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5481,7 +5481,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5519,7 +5519,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5555,7 +5555,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5593,7 +5593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5629,7 +5629,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5667,7 +5667,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5703,7 +5703,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5741,7 +5741,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5777,7 +5777,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5815,7 +5815,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5851,7 +5851,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5889,7 +5889,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5925,7 +5925,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5999,7 +5999,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6034,7 +6034,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6069,7 +6069,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6104,7 +6104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/rules64/result b/tests/ipv6/rules64/result +index 8703253..cc2d397 100644 +--- a/tests/ipv6/rules64/result ++++ b/tests/ipv6/rules64/result +@@ -29,7 +29,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -66,7 +66,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -104,7 +104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -140,7 +140,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -178,7 +178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -214,7 +214,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -252,7 +252,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -288,7 +288,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -326,7 +326,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -367,7 +367,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -404,7 +404,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -440,7 +440,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -475,7 +475,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -508,7 +508,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -539,8 +539,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept + + ### END RULES ### +@@ -548,7 +548,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -593,7 +593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -630,7 +630,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -668,7 +668,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -704,7 +704,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -742,7 +742,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -785,7 +785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -828,7 +828,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -871,7 +871,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -914,7 +914,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -958,7 +958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -994,7 +994,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1029,7 +1029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1062,7 +1062,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1100,7 +1100,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1136,7 +1136,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1171,7 +1171,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1204,7 +1204,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1242,7 +1242,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1278,7 +1278,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1313,7 +1313,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1346,7 +1346,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1384,7 +1384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1420,7 +1420,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1455,7 +1455,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1488,7 +1488,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1527,7 +1527,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1564,7 +1564,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1599,7 +1599,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1632,7 +1632,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1670,7 +1670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1706,7 +1706,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1741,7 +1741,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1774,7 +1774,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1812,7 +1812,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1848,7 +1848,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1883,7 +1883,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1916,7 +1916,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1955,7 +1955,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1991,7 +1991,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2026,7 +2026,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2059,7 +2059,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2097,7 +2097,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2133,7 +2133,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2168,7 +2168,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2201,7 +2201,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2240,7 +2240,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2277,7 +2277,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2312,7 +2312,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2345,7 +2345,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2384,7 +2384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2428,7 +2428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2471,7 +2471,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2514,7 +2514,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2558,7 +2558,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2601,7 +2601,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2644,7 +2644,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2685,7 +2685,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2720,7 +2720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2755,7 +2755,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2790,7 +2790,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2825,7 +2825,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2860,7 +2860,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2895,7 +2895,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3472,7 +3472,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3515,7 +3515,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3558,7 +3558,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3601,7 +3601,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3644,7 +3644,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3687,7 +3687,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3728,7 +3728,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3763,7 +3763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3798,7 +3798,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3833,7 +3833,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3868,7 +3868,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3903,7 +3903,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3940,7 +3940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3976,7 +3976,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4014,7 +4014,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4050,7 +4050,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4088,7 +4088,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4124,7 +4124,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4162,7 +4162,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4198,7 +4198,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4236,7 +4236,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4272,7 +4272,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4310,7 +4310,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4346,7 +4346,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4384,7 +4384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4420,7 +4420,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4458,7 +4458,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4494,7 +4494,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4532,7 +4532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4568,7 +4568,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4606,7 +4606,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4642,7 +4642,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4680,7 +4680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4716,7 +4716,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4754,7 +4754,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4790,7 +4790,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4828,7 +4828,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4864,7 +4864,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4902,7 +4902,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4938,7 +4938,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4976,7 +4976,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5012,7 +5012,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5050,7 +5050,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5086,7 +5086,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5117,8 +5117,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5126,7 +5126,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5163,8 +5163,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5172,7 +5172,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5209,8 +5209,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5218,7 +5218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5255,8 +5255,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5264,7 +5264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5301,8 +5301,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5310,7 +5310,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5347,8 +5347,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5356,7 +5356,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5393,8 +5393,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5402,7 +5402,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5439,8 +5439,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5448,7 +5448,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5493,7 +5493,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5529,7 +5529,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5568,7 +5568,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5604,7 +5604,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5639,7 +5639,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5672,7 +5672,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5710,7 +5710,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5750,7 +5750,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5794,7 +5794,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5831,7 +5831,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5869,7 +5869,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5905,7 +5905,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5943,7 +5943,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5979,7 +5979,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6017,7 +6017,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6053,7 +6053,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6091,7 +6091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6127,7 +6127,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6164,7 +6164,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6199,7 +6199,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6234,7 +6234,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6295,7 +6295,7 @@ ipv4 rule in ipv4 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6336,7 +6336,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6380,7 +6380,7 @@ ipv6 rule in ipv6 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6425,7 +6425,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6487,7 +6487,7 @@ ipv4 rule in ipv6 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6532,7 +6532,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6572,11 +6572,11 @@ COMMIT + -A ufw-user-input -p udp -d 127.0.0.1 --dport 23 -j ACCEPT + + ### tuple ### allow_log any 8888 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 8888 -j RETURN + -A ufw-user-input -p tcp --dport 8888 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 8888 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 8888 -j RETURN + -A ufw-user-input -p udp --dport 8888 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 8888 -j ACCEPT +@@ -6586,7 +6586,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6619,11 +6619,11 @@ COMMIT + -A ufw6-user-input -p udp -d ::1 --dport 24 -j ACCEPT + + ### tuple ### allow_log any 8888 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 8888 -j RETURN + -A ufw6-user-input -p tcp --dport 8888 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 8888 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 8888 -j RETURN + -A ufw6-user-input -p udp --dport 8888 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 8888 -j ACCEPT +@@ -6637,7 +6637,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6681,7 +6681,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6714,7 +6714,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6768,7 +6768,7 @@ Interfaces + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6810,7 +6810,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6854,7 +6854,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6887,7 +6887,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6940,7 +6940,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6982,7 +6982,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7026,7 +7026,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7059,7 +7059,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7094,7 +7094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7137,7 +7137,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7180,7 +7180,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7223,7 +7223,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7264,7 +7264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7299,7 +7299,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7334,7 +7334,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7369,7 +7369,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7406,7 +7406,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7442,7 +7442,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7480,7 +7480,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7516,7 +7516,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/bugs/result b/tests/root/bugs/result +index e7ee4da..34bee1a 100644 +--- a/tests/root/bugs/result ++++ b/tests/root/bugs/result +@@ -34,7 +34,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/live/result b/tests/root/live/result +index 78148f4..7b183c5 100644 +--- a/tests/root/live/result ++++ b/tests/root/live/result +@@ -145,8 +145,8 @@ Anywhere ALLOW 192.168.0.0/16 + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### allow any 53 ::/0 any ::/0 in + -A ufw6-user-input -p tcp --dport 53 -j ACCEPT + -A ufw6-user-input -p udp --dport 53 -j ACCEPT +@@ -368,8 +368,8 @@ Anywhere ALLOW 192.168.0.0/16 + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + TESTING ARGS (delete allow/deny to/from) + 48: delete allow 53 + WARN: Checks disabled +@@ -1057,8 +1057,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1072,8 +1072,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1082,11 +1082,11 @@ Status: active + -A ufw-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 in_eth0 +@@ -1109,7 +1109,7 @@ Status: active + -A ufw6-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow udp 137,138 ::/0 any ::/0 Samba - in_eth0 +@@ -1312,8 +1312,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1327,8 +1327,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1337,11 +1337,11 @@ Status: active + -A ufw-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 out_eth0 +@@ -1364,7 +1364,7 @@ Status: active + -A ufw6-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow udp 137,138 ::/0 any ::/0 Samba - out_eth0 +@@ -1556,8 +1556,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1571,8 +1571,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1581,11 +1581,11 @@ Status: active + -A ufw-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 in_eth0 +@@ -1777,8 +1777,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1792,8 +1792,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1802,11 +1802,11 @@ Status: active + -A ufw-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 out_eth0 +diff --git a/tests/root/live_apps/result b/tests/root/live_apps/result +index c0aa6e2..cb97ffb 100644 +--- a/tests/root/live_apps/result ++++ b/tests/root/live_apps/result +@@ -1235,7 +1235,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1318,7 +1318,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1444,7 +1444,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1543,7 +1543,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1647,7 +1647,7 @@ Rule inserted (v6) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1696,7 +1696,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1755,7 +1755,7 @@ Rule deleted (v6) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1788,7 +1788,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1889,7 +1889,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1932,7 +1932,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2005,7 +2005,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2038,7 +2038,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2173,23 +2173,23 @@ Samba on eth0 LIMIT 10.0.0.1 + + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + 225: delete limit in on eth0 to 192.168.0.1 app Samba + WARN: Checks disabled +@@ -2447,23 +2447,23 @@ Samba LIMIT OUT 10.0.0.1 on eth0 + + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + 259: delete limit out on eth0 to 192.168.0.1 app Samba + WARN: Checks disabled +diff --git a/tests/root/logging/result b/tests/root/logging/result +index bbcc434..583ec46 100644 +--- a/tests/root/logging/result ++++ b/tests/root/logging/result +@@ -35,23 +35,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -61,7 +61,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -90,29 +90,29 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -122,7 +122,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -167,7 +167,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -200,7 +200,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -261,7 +261,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -322,7 +322,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -367,7 +367,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -400,7 +400,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -435,23 +435,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -461,7 +461,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -490,29 +490,29 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -522,7 +522,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -567,7 +567,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -600,7 +600,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -661,7 +661,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -722,7 +722,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -767,7 +767,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -800,7 +800,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -835,33 +835,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -869,7 +869,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -902,7 +902,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -947,7 +947,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -980,7 +980,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1018,30 +1018,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1049,7 +1049,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1082,7 +1082,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1127,7 +1127,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1160,7 +1160,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1195,23 +1195,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1221,7 +1221,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1250,29 +1250,29 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -1282,7 +1282,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1327,7 +1327,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1360,7 +1360,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1421,7 +1421,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1482,7 +1482,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1527,7 +1527,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1560,7 +1560,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1590,7 +1590,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1623,7 +1623,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/valid/result b/tests/root/valid/result +index 3a493da..320a728 100644 +--- a/tests/root/valid/result ++++ b/tests/root/valid/result +@@ -234,8 +234,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 27: deny 53 + WARN: Checks disabled + Rules updated +@@ -255,8 +255,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 28: allow 80/tcp + WARN: Checks disabled + Rules updated +@@ -276,8 +276,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 29: allow from 10.0.0.0/8 + WARN: Checks disabled + Rules updated +@@ -297,8 +297,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -322,8 +322,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -350,8 +350,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -381,8 +381,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -415,8 +415,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -452,8 +452,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -1173,8 +1173,8 @@ Rules updated + + + ### tuple ### limit any any 0.0.0.0/0 any 192.168.0.1 in +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1189,8 +1189,8 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1205,8 +1205,8 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1221,11 +1221,11 @@ Rules updated + + + ### tuple ### limit any any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 151: delete limit from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1237,11 +1237,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 153: delete limit to 10.0.0.1 port 25 + WARN: Checks disabled + Rules updated +@@ -1253,11 +1253,11 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 155: delete limit to 10.0.0.1 from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1269,11 +1269,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 157: delete limit to 10.0.0.1 port 25 from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1285,11 +1285,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 159: delete limit to 10.0.0.1 port 25 from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1301,8 +1301,8 @@ Rules updated + + + ### tuple ### limit udp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 161: delete limit from 192.168.0.1 port 80 proto udp + WARN: Checks disabled + Rules updated +@@ -1314,8 +1314,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 163: delete limit to 10.0.0.1 port 25 proto udp + WARN: Checks disabled + Rules updated +@@ -1327,8 +1327,8 @@ Rules updated + + + ### tuple ### limit udp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 165: delete limit to 10.0.0.1 from 192.168.0.1 port 80 proto udp + WARN: Checks disabled + Rules updated +@@ -1340,8 +1340,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 167: delete limit to 10.0.0.1 port 25 proto udp from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1353,8 +1353,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 169: delete limit to 10.0.0.1 port 25 proto udp from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1366,8 +1366,8 @@ Rules updated + + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 171: delete limit from 192.168.0.1 port 80 proto tcp + WARN: Checks disabled + Rules updated +@@ -1379,8 +1379,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 173: delete limit to 10.0.0.1 port 25 proto tcp + WARN: Checks disabled + Rules updated +@@ -1392,8 +1392,8 @@ Rules updated + + + ### tuple ### limit tcp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 175: delete limit to 10.0.0.1 from 192.168.0.1 port 80 proto tcp + WARN: Checks disabled + Rules updated +@@ -1405,8 +1405,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 177: delete limit to 10.0.0.1 port 25 proto tcp from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1418,8 +1418,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 179: delete limit to 10.0.0.1 port 25 proto tcp from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +diff --git a/tests/root/valid6/result b/tests/root/valid6/result +index dc76378..74fcd86 100644 +--- a/tests/root/valid6/result ++++ b/tests/root/valid6/result +@@ -1670,8 +1670,8 @@ Rules updated + + + ### tuple ### limit ah any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p ah -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p ah -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p ah -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p ah -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 249: delete limit to 10.0.0.1 proto ah + WARN: Checks disabled + Rules updated +diff --git a/tests/root_kern/limit6/result b/tests/root_kern/limit6/result +index 008d993..7a3a1ad 100644 +--- a/tests/root_kern/limit6/result ++++ b/tests/root_kern/limit6/result +@@ -40,27 +40,27 @@ Anywhere (v6) LIMIT 24/udp + + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### limit udp any 0.0.0.0/0 24 0.0.0.0/0 in +--A ufw-user-input -p udp --sport 24 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --sport 24 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### limit any 23 0.0.0.0/0 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### limit tcp 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw6-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + -- + ### tuple ### limit udp any ::/0 24 ::/0 in +--A ufw6-user-input -p udp --sport 24 -m state --state NEW -m recent --set +--A ufw6-user-input -p udp --sport 24 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + -- + ### tuple ### limit any 23 ::/0 any ::/0 in_eth1 +--A ufw6-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw6-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + TESTING ARGS (delete allow/deny to/from) + 6: delete limit 22/tcp + WARN: Checks disabled diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch b/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch new file mode 100644 index 0000000000..4184e33f41 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch @@ -0,0 +1,93 @@ +support ./setup.py build (LP: #819600) + +Written by Jamie Strandboge <jamie@canonical.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id 10dc74cdc0948e4038d2921e7428cbf2896df98c + +Removed ChangeLog patch due to backport status of this patch. +Modified for statement to match the one in 0.33 setup.py + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/setup.py b/setup.py +index 730c568..4e1ec9a 100644 +--- a/setup.py ++++ b/setup.py +@@ -64,37 +64,44 @@ class Install(_install, object): + real_sharedir = os.path.join(real_prefix, 'share', 'ufw') + + # Update the modules' paths +- for file in [ 'common.py', 'util.py' ]: +- print("Updating " + file) +- subprocess.call(["sed", +- "-i", +- "s%#CONFIG_PREFIX#%" + real_confdir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#STATE_PREFIX#%" + real_statedir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#PREFIX#%" + real_prefix + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#IPTABLES_DIR#%" + iptables_dir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#SHARE_DIR#%" + real_sharedir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i.jjm", +- "s%/sbin/iptables%" + iptables_exe + "%g", +- os.path.join('staging', file)]) ++ for fn in [ 'common.py', 'util.py' ]: ++ # 'staging' is used with just 'install' but build_lib is used when ++ # using 'build'. We could probably override 'def build()' but this ++ # at least works ++ for d in [os.path.join(self.build_lib, "ufw"), 'staging']: ++ f = os.path.join(d, fn) ++ if not os.path.exists(f): ++ continue ++ print("Updating " + f) ++ subprocess.call(["sed", ++ "-i", ++ "s%#CONFIG_PREFIX#%" + real_confdir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#STATE_PREFIX#%" + real_statedir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#PREFIX#%" + real_prefix + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#IPTABLES_DIR#%" + iptables_dir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#SHARE_DIR#%" + real_sharedir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i.jjm", ++ "s%/sbin/iptables%" + iptables_exe + "%g", ++ f]) + + # Now byte-compile everything + super(Install, self).run() diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch b/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch new file mode 100644 index 0000000000..5f9e68df82 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch @@ -0,0 +1,2895 @@ +adjust runtime tests to use daytime/port 13 instead of ssh/port 22 everywhere + +and adjust to use daytime/port 13 instead of http/port 80 and https/port 443 in +good/logging and ipv6/bad_args6 (Closes: 849628) + +Patch from git://git.launchpad.net/ufw +Commit f1ecc2475f8612f1ea87bd43a088d39009145dd8 + +Written by Jamie Strandboge <jamie@ubuntu.com> + +Removed code not present (tests/live_route). +Omitted result output that did not seem to change. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/tests/root/bugs/result b/tests/root/bugs/result +index 34bee1a..d1fab59 100644 +--- a/tests/root/bugs/result ++++ b/tests/root/bugs/result +@@ -94,7 +94,7 @@ Could not delete non-existent rule + + + iptables -L -n: +-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ ++ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ + + Chain ufw-user-limit (0 references) + 10: delete allow Apache +@@ -254,7 +254,7 @@ WARN: Checks disabled + Status: active + + +-37: delete allow 22 ++37: delete allow 13 + WARN: Checks disabled + Could not delete non-existent rule + Could not delete non-existent rule (v6) +@@ -266,7 +266,7 @@ Could not delete non-existent rule + Could not delete non-existent rule (v6) + + +-39: delete allow to 127.0.0.1 port 22 ++39: delete allow to 127.0.0.1 port 13 + WARN: Checks disabled + Could not delete non-existent rule + +@@ -276,7 +276,7 @@ WARN: Checks disabled + Could not delete non-existent rule + + +-41: delete allow to ::1 port 22 ++41: delete allow to ::1 port 13 + WARN: Checks disabled + Could not delete non-existent rule (v6) + +diff --git a/tests/root/bugs/runtest.sh b/tests/root/bugs/runtest.sh +index 0c4db9b..4bd68d7 100755 +--- a/tests/root/bugs/runtest.sh ++++ b/tests/root/bugs/runtest.sh +@@ -93,11 +93,11 @@ sed -i "s/IPV6=.*/IPV6=yes/" $TESTPATH/etc/default/ufw + do_cmd "0" nostats disable + do_cmd "0" nostats enable + do_cmd "0" status +-do_cmd "0" delete allow 22 ++do_cmd "0" delete allow 13 + do_cmd "0" delete allow Apache +-do_cmd "0" delete allow to 127.0.0.1 port 22 ++do_cmd "0" delete allow to 127.0.0.1 port 13 + do_cmd "0" delete allow to 127.0.0.1 app Apache +-do_cmd "0" delete allow to ::1 port 22 ++do_cmd "0" delete allow to ::1 port 13 + do_cmd "0" delete allow to ::1 app Apache + do_cmd "0" status + +diff --git a/tests/root/live/result b/tests/root/live/result +index 7b183c5..e862327 100644 +--- a/tests/root/live/result ++++ b/tests/root/live/result +@@ -71,7 +71,7 @@ WARN: Checks disabled + Rule added + + +-14: limit 22/tcp ++14: limit 13/tcp + WARN: Checks disabled + Rule added + Skipping unsupported IPv6 'limit' rule +@@ -103,7 +103,7 @@ Anywhere ALLOW 172.16.0.0/12 + Anywhere ALLOW 192.168.0.0/16 + 514/udp DENY 1.2.3.4 + 1.2.3.4 5469/udp ALLOW 1.2.3.5 5469/udp +-22/tcp LIMIT Anywhere ++13/tcp LIMIT Anywhere + 53 ALLOW Anywhere (v6) + 23/tcp ALLOW Anywhere (v6) + 25/tcp ALLOW Anywhere (v6) +@@ -144,9 +144,9 @@ Anywhere ALLOW 192.168.0.0/16 + ### tuple ### allow udp 5469 1.2.3.4 5469 1.2.3.5 in + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### allow any 53 ::/0 any ::/0 in + -A ufw6-user-input -p tcp --dport 53 -j ACCEPT + -A ufw6-user-input -p udp --dport 53 -j ACCEPT +@@ -221,7 +221,7 @@ WARN: Checks disabled + Rule deleted + + +-28: delete limit 22/tcp ++28: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + Skipping unsupported IPv6 'limit' rule +@@ -311,7 +311,7 @@ WARN: Checks disabled + Rule added + + +-46: limit 22/tcp ++46: limit 13/tcp + WARN: Checks disabled + Rule added + +@@ -332,7 +332,7 @@ Anywhere ALLOW 172.16.0.0/12 + Anywhere ALLOW 192.168.0.0/16 + 514/udp DENY 1.2.3.4 + 1.2.3.4 5469/udp ALLOW 1.2.3.5 5469/udp +-22/tcp LIMIT Anywhere ++13/tcp LIMIT Anywhere + + + +@@ -367,9 +367,9 @@ Anywhere ALLOW 192.168.0.0/16 + ### tuple ### allow udp 5469 1.2.3.4 5469 1.2.3.5 in + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + TESTING ARGS (delete allow/deny to/from) + 48: delete allow 53 + WARN: Checks disabled +@@ -421,7 +421,7 @@ WARN: Checks disabled + Rule deleted + + +-58: delete limit 22/tcp ++58: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + +@@ -667,7 +667,7 @@ WARN: Checks disabled + Rule added + + +-99: limit 22/tcp ++99: limit 13/tcp + WARN: Checks disabled + Rule added + Skipping unsupported IPv6 'limit' rule +@@ -699,7 +699,7 @@ Status: active + [ 8] Anywhere ALLOW IN 192.168.0.0/16 + [ 9] 514/udp DENY IN 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW IN 1.2.3.5 5469/udp +-[11] 22/tcp LIMIT IN Anywhere ++[11] 13/tcp LIMIT IN Anywhere + [12] 53 ALLOW IN Anywhere (v6) + [13] 23/tcp ALLOW IN Anywhere (v6) + [14] 25/tcp ALLOW IN Anywhere (v6) +@@ -763,7 +763,7 @@ WARN: Checks disabled + Rule deleted + + +-113: delete limit 22/tcp ++113: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + Skipping unsupported IPv6 'limit' rule +@@ -841,7 +841,7 @@ WARN: Checks disabled + Rule added + + +-129: limit 22/tcp ++129: limit 13/tcp + WARN: Checks disabled + Rule added + +@@ -862,7 +862,7 @@ Status: active + [ 8] Anywhere ALLOW IN 192.168.0.0/16 + [ 9] 514/udp DENY IN 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW IN 1.2.3.5 5469/udp +-[11] 22/tcp LIMIT IN Anywhere ++[11] 13/tcp LIMIT IN Anywhere + + + +@@ -916,7 +916,7 @@ WARN: Checks disabled + Rule deleted + + +-141: delete limit 22/tcp ++141: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + +@@ -943,7 +943,7 @@ Rule added (v6) + 146: deny in on eth1:1 + + +-147: reject in on eth1 to 192.168.0.1 port 22 ++147: reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -958,7 +958,7 @@ WARN: Checks disabled + Rule added + + +-150: deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++150: deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -968,7 +968,7 @@ WARN: Checks disabled + Rule added + + +-152: limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++152: limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1002,12 +1002,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Anywhere on eth0 ALLOW IN Anywhere (log) + [ 9] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) + [10] 10.0.0.1 25/tcp on eth0 DENY IN 192.168.0.1 (log-all) +@@ -1031,12 +1031,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Samba on eth2 ALLOW IN Anywhere + [ 9] Anywhere on eth0 ALLOW IN Anywhere (log) + [10] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) +@@ -1052,9 +1052,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 in_eth1 + -A ufw-user-input -i eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1063,17 +1063,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1124,7 +1124,7 @@ Rule deleted + Rule deleted (v6) + + +-161: delete reject in on eth1 to 192.168.0.1 port 22 ++161: delete reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1139,7 +1139,7 @@ WARN: Checks disabled + Rule deleted + + +-164: delete deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++164: delete deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1149,7 +1149,7 @@ WARN: Checks disabled + Rule deleted + + +-166: delete limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++166: delete limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1198,7 +1198,7 @@ Rule added (v6) + 175: deny out on eth1:1 + + +-176: reject out on eth1 to 192.168.0.1 port 22 ++176: reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1213,7 +1213,7 @@ WARN: Checks disabled + Rule added + + +-179: deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++179: deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1223,7 +1223,7 @@ WARN: Checks disabled + Rule added + + +-181: limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++181: limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1257,12 +1257,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [ 9] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) + [10] 10.0.0.1 25/tcp DENY OUT 192.168.0.1 on eth0 (log-all, out) +@@ -1286,12 +1286,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Samba ALLOW OUT Anywhere on eth2 (out) + [ 9] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [10] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) +@@ -1307,9 +1307,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 out_eth1 + -A ufw-user-output -o eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1318,17 +1318,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1379,7 +1379,7 @@ Rule deleted + Rule deleted (v6) + + +-190: delete reject out on eth1 to 192.168.0.1 port 22 ++190: delete reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1394,7 +1394,7 @@ WARN: Checks disabled + Rule deleted + + +-193: delete deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++193: delete deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1404,7 +1404,7 @@ WARN: Checks disabled + Rule deleted + + +-195: delete limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++195: delete limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1452,7 +1452,7 @@ Rule added + 204: deny in on eth1:1 + + +-205: reject in on eth1 to 192.168.0.1 port 22 ++205: reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1467,7 +1467,7 @@ WARN: Checks disabled + Rule added + + +-208: deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++208: deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1477,7 +1477,7 @@ WARN: Checks disabled + Rule added + + +-210: limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++210: limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1509,12 +1509,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Anywhere on eth0 ALLOW IN Anywhere (log) + [ 9] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) + [10] 10.0.0.1 25/tcp on eth0 DENY IN 192.168.0.1 (log-all) +@@ -1534,12 +1534,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Samba on eth2 ALLOW IN Anywhere + [ 9] Anywhere on eth0 ALLOW IN Anywhere (log) + [10] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) +@@ -1551,9 +1551,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 in_eth1 + -A ufw-user-input -i eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1562,17 +1562,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1603,7 +1603,7 @@ WARN: Checks disabled + Rule deleted + + +-219: delete reject in on eth1 to 192.168.0.1 port 22 ++219: delete reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1618,7 +1618,7 @@ WARN: Checks disabled + Rule deleted + + +-222: delete deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++222: delete deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1628,7 +1628,7 @@ WARN: Checks disabled + Rule deleted + + +-224: delete limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++224: delete limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1673,7 +1673,7 @@ Rule added + 233: deny out on eth1:1 + + +-234: reject out on eth1 to 192.168.0.1 port 22 ++234: reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1688,7 +1688,7 @@ WARN: Checks disabled + Rule added + + +-237: deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++237: deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1698,7 +1698,7 @@ WARN: Checks disabled + Rule added + + +-239: limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++239: limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1730,12 +1730,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [ 9] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) + [10] 10.0.0.1 25/tcp DENY OUT 192.168.0.1 on eth0 (log-all, out) +@@ -1755,12 +1755,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Samba ALLOW OUT Anywhere on eth2 (out) + [ 9] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [10] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) +@@ -1772,9 +1772,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 out_eth1 + -A ufw-user-output -o eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1783,17 +1783,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1824,7 +1824,7 @@ WARN: Checks disabled + Rule deleted + + +-248: delete reject out on eth1 to 192.168.0.1 port 22 ++248: delete reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1839,7 +1839,7 @@ WARN: Checks disabled + Rule deleted + + +-251: delete deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++251: delete deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1849,7 +1849,7 @@ WARN: Checks disabled + Rule deleted + + +-253: delete limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++253: delete limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -2591,7 +2591,7 @@ Verify secondary chains + 494: disable + + +-495: allow 22/tcp ++495: allow 13/tcp + + + 496: enable +@@ -2675,7 +2675,7 @@ Verify secondary chains + 522: enable + + +-523: delete allow 22/tcp ++523: delete allow 13/tcp + + + Reset test +@@ -3033,7 +3033,7 @@ Setting IPV6 to yes + 588: enable + + +-589: limit 22/tcp ++589: limit 13/tcp + + + 590: allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp +@@ -3045,12 +3045,12 @@ Setting IPV6 to yes + 592: show added + WARN: Checks disabled + Added user rules (see 'ufw status' for running firewall): +-ufw limit 22/tcp ++ufw limit 13/tcp + ufw deny Samba + ufw allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + + +-593: delete limit 22/tcp ++593: delete limit 13/tcp + + + 594: delete allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp +@@ -3072,7 +3072,7 @@ Setting IPV6 to no + 598: enable + + +-599: limit 22/tcp ++599: limit 13/tcp + + + 600: deny Samba +@@ -3081,11 +3081,11 @@ Setting IPV6 to no + 601: show added + WARN: Checks disabled + Added user rules (see 'ufw status' for running firewall): +-ufw limit 22/tcp ++ufw limit 13/tcp + ufw deny Samba + + +-602: delete limit 22/tcp ++602: delete limit 13/tcp + + + 603: delete deny Samba +diff --git a/tests/root/live/runtest.sh b/tests/root/live/runtest.sh +index 3dd4e35..228e3e6 100755 +--- a/tests/root/live/runtest.sh ++++ b/tests/root/live/runtest.sh +@@ -43,7 +43,7 @@ do + do_cmd "0" allow from 192.168.0.0/16 + do_cmd "0" deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" limit 22/tcp ++ do_cmd "0" limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -63,7 +63,7 @@ do + do_cmd "0" delete allow from 192.168.0.0/16 + do_cmd "0" delete deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" delete limit 22/tcp ++ do_cmd "0" delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" delete deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -132,7 +132,7 @@ do + do_cmd "0" allow from 192.168.0.0/16 + do_cmd "0" deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" limit 22/tcp ++ do_cmd "0" limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -149,7 +149,7 @@ do + do_cmd "0" delete allow from 192.168.0.0/16 + do_cmd "0" delete deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" delete limit 22/tcp ++ do_cmd "0" delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" delete deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -168,12 +168,12 @@ do + + do_cmd "0" allow $i on eth1 + do_cmd "1" null deny $i on eth1:1 +- do_cmd "0" reject $i on eth1 to 192.168.0.1 port 22 ++ do_cmd "0" reject $i on eth1 to 192.168.0.1 port 13 + do_cmd "0" limit $i on eth1 from 10.0.0.1 port 80 + do_cmd "0" allow $i on eth1 to 192.168.0.1 from 10.0.0.1 +- do_cmd "0" deny $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++ do_cmd "0" deny $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + do_cmd "0" reject $i on eth1 to 192.168.0.1 from 10.0.0.1 port 80 +- do_cmd "0" limit $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++ do_cmd "0" limit $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + + do_cmd "0" allow $i on eth0 log + do_cmd "0" allow $i on eth0 log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp +@@ -189,12 +189,12 @@ do + + # delete what we added + do_cmd "0" delete allow $i on eth1 +- do_cmd "0" delete reject $i on eth1 to 192.168.0.1 port 22 ++ do_cmd "0" delete reject $i on eth1 to 192.168.0.1 port 13 + do_cmd "0" delete limit $i on eth1 from 10.0.0.1 port 80 + do_cmd "0" delete allow $i on eth1 to 192.168.0.1 from 10.0.0.1 +- do_cmd "0" delete deny $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++ do_cmd "0" delete deny $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + do_cmd "0" delete reject $i on eth1 to 192.168.0.1 from 10.0.0.1 port 80 +- do_cmd "0" delete limit $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++ do_cmd "0" delete limit $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + + do_cmd "0" delete allow $i on eth0 log + do_cmd "0" delete allow $i on eth0 log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp +@@ -312,7 +312,7 @@ do_cmd "0" nostats disable + echo "'Resource temporarily unavailable' test" >> $TESTTMP/result + do_cmd "0" nostats disable + $TESTSTATE/ufw-init flush-all >/dev/null +-do_cmd "0" nostats allow 22/tcp ++do_cmd "0" nostats allow 13/tcp + do_cmd "0" nostats enable + $TESTSTATE/ufw-init stop >/dev/null + for i in `seq 1 25`; do +@@ -327,7 +327,7 @@ for i in `seq 1 25`; do + let count=count+1 + done + do_cmd "0" nostats enable +-do_cmd "0" nostats delete allow 22/tcp ++do_cmd "0" nostats delete allow 13/tcp + + echo "Reset test" >> $TESTTMP/result + do_cmd "0" nostats enable +@@ -445,13 +445,13 @@ do + sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw + do_cmd "0" nostats disable + do_cmd "0" nostats enable +- do_cmd "0" nostats limit 22/tcp ++ do_cmd "0" nostats limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" nostats allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + fi + do_cmd "0" nostats deny Samba + do_cmd "0" show added +- do_cmd "0" nostats delete limit 22/tcp ++ do_cmd "0" nostats delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" nostats delete allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + fi +diff --git a/tests/root/live_apps/result b/tests/root/live_apps/result +index cb97ffb..1d9338e 100644 +--- a/tests/root/live_apps/result ++++ b/tests/root/live_apps/result +@@ -31,7 +31,7 @@ Rule added + Rule added (v6) + + +-6: allow to any app Samba from any port 22 ++6: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -58,7 +58,7 @@ WARN: Checks disabled + Rule added (v6) + + +-11: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++11: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule added (v6) + +@@ -78,18 +78,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -110,8 +110,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 80/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -120,8 +120,8 @@ Anywhere (v6) ALLOW IN 137,138/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++137,138/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 80/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -129,8 +129,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 80/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -159,7 +159,7 @@ Rule deleted + Rule deleted (v6) + + +-19: delete allow to any app Samba from any port 22 ++19: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -186,7 +186,7 @@ WARN: Checks disabled + Rule deleted (v6) + + +-24: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++24: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule deleted (v6) + +@@ -228,7 +228,7 @@ WARN: Checks disabled + Rule added + + +-33: allow to any app Samba from any port 22 ++33: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + +@@ -253,7 +253,7 @@ WARN: Checks disabled + Rule added + + +-38: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++38: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule added + +@@ -273,12 +273,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -299,8 +299,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -308,8 +308,8 @@ Anywhere ALLOW IN 192.168.2.0/24 137,138/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 80/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -334,7 +334,7 @@ WARN: Checks disabled + Rule deleted + + +-46: delete allow to any app Samba from any port 22 ++46: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + +@@ -359,7 +359,7 @@ WARN: Checks disabled + Rule deleted + + +-51: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++51: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule deleted + +@@ -406,7 +406,7 @@ Rule added + Rule added (v6) + + +-60: allow to any app Samba from any port 22 ++60: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -433,7 +433,7 @@ WARN: Checks disabled + Rule added (v6) + + +-65: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++65: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule added (v6) + +@@ -453,18 +453,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -485,8 +485,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 80/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -495,8 +495,8 @@ Anywhere (v6) ALLOW IN 137,138/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++137,138/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 80/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -504,8 +504,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 80/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -532,18 +532,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -564,8 +564,8 @@ Anywhere ALLOW IN 138,9999/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 138,9999/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-138,9999/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++138,9999/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 8888/tcp (Apache) ALLOW IN 88/tcp + 8888/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 138,9999/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -574,8 +574,8 @@ Anywhere (v6) ALLOW IN 138,9999/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 138,9999/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-138,9999/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++138,9999/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 8888/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 138,9999/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -583,8 +583,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 138,9999/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 8888/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -613,7 +613,7 @@ Rule deleted + Rule deleted (v6) + + +-77: delete allow to any app Samba from any port 22 ++77: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -640,7 +640,7 @@ WARN: Checks disabled + Rule deleted (v6) + + +-82: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++82: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule deleted (v6) + +@@ -682,7 +682,7 @@ WARN: Checks disabled + Rule added + + +-91: allow to any app Samba from any port 22 ++91: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + +@@ -707,7 +707,7 @@ WARN: Checks disabled + Rule added + + +-96: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++96: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule added + +@@ -727,12 +727,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -753,8 +753,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -762,8 +762,8 @@ Anywhere ALLOW IN 192.168.2.0/24 137,138/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 80/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -790,12 +790,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -816,8 +816,8 @@ Anywhere ALLOW IN 138,9999/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 138,9999/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-138,9999/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++138,9999/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 8888/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 138,9999/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -825,8 +825,8 @@ Anywhere ALLOW IN 192.168.2.0/24 138,9999/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 8888/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -851,7 +851,7 @@ WARN: Checks disabled + Rule deleted + + +-108: delete allow to any app Samba from any port 22 ++108: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + +@@ -876,7 +876,7 @@ WARN: Checks disabled + Rule deleted + + +-113: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++113: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1356,7 +1356,7 @@ WARN: Checks disabled + Rule added + + +-164: allow 22 ++164: allow 13 + WARN: Checks disabled + Rule added + +@@ -1435,9 +1435,9 @@ Rule inserted + ### tuple ### allow tcp 139,445 10.0.0.1 any 192.168.0.1 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1488,7 +1488,7 @@ WARN: Checks disabled + Rule deleted + + +-173: delete allow 22 ++173: delete allow 13 + WARN: Checks disabled + Rule deleted + +@@ -1799,7 +1799,7 @@ Rule added + Rule added (v6) + + +-192: allow 22 ++192: allow 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -1880,9 +1880,9 @@ Rule inserted + ### tuple ### allow tcp 139,445 10.0.0.1 any 192.168.0.1 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1923,9 +1923,9 @@ COMMIT + ### tuple ### allow tcp 139,445 ::/0 any ::/0 Samba - in + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 ::/0 any ::/0 in ++-A ufw6-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1949,7 +1949,7 @@ Rule deleted + Rule deleted (v6) + + +-201: delete allow 22 ++201: delete allow 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -2606,7 +2606,7 @@ Setting IPV6 to yes + 278: allow Samba + + +-279: allow 22/tcp ++279: allow 13/tcp + + + ### tuple ### allow udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +@@ -2621,8 +2621,8 @@ Setting IPV6 to yes + ### tuple ### allow tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + + ### tuple ### allow udp any ::/0 137,138 ::/0 - Samba in + -A ufw6-user-input -p udp -m multiport --sports 137,138 -j ACCEPT -m comment --comment 'sapp_Samba' +@@ -2636,8 +2636,8 @@ Setting IPV6 to yes + ### tuple ### allow tcp 139,445 ::/0 any ::/0 Samba - in + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 any ::/0 in ++-A ufw6-user-input -p tcp --dport 13 -j ACCEPT + + 280: --force delete 6 + +@@ -2706,7 +2706,7 @@ Setting IPV6 to no + 289: allow Samba + + +-290: allow 22/tcp ++290: allow 13/tcp + + + ### tuple ### allow udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +@@ -2721,8 +2721,8 @@ Setting IPV6 to no + ### tuple ### allow tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + + 291: --force delete 3 + +diff --git a/tests/root/live_apps/runtest.sh b/tests/root/live_apps/runtest.sh +index 04bbde3..5feb86c 100755 +--- a/tests/root/live_apps/runtest.sh ++++ b/tests/root/live_apps/runtest.sh +@@ -51,7 +51,7 @@ do + do_cmd "0" allow to $loc app Samba + do_cmd "0" allow from $loc app Samba + do_cmd "0" allow to $loc app Samba from $loc app Bind9 +- do_cmd "0" allow to $loc app Samba from $loc port 22 ++ do_cmd "0" allow to $loc app Samba from $loc port 13 + do_cmd "0" allow to $loc app Apache from $loc port 88 + done + do_cmd "0" status +@@ -78,7 +78,7 @@ do + do_cmd "0" delete allow to $loc app Samba + do_cmd "0" delete allow from $loc app Samba + do_cmd "0" delete allow to $loc app Samba from $loc app Bind9 +- do_cmd "0" delete allow to $loc app Samba from $loc port 22 ++ do_cmd "0" delete allow to $loc app Samba from $loc port 13 + do_cmd "0" delete allow to $loc app Apache from $loc port 88 + done + do_cmd "0" status +@@ -188,7 +188,7 @@ for ipv6 in no yes ; do + cat $TESTSTATE/user6.rules >> $TESTTMP/result + + do_cmd "0" allow Samba +- do_cmd "0" allow 22 ++ do_cmd "0" allow 13 + do_cmd "0" insert 2 allow from any to any app Samba + do_cmd "0" insert 2 allow from 192.168.0.1 to 10.0.0.1 app Samba + do_cmd "0" insert 2 allow from 192.168.0.1 to any app Samba +@@ -209,7 +209,7 @@ for ipv6 in no yes ; do + } + + do_cmd "0" delete allow Samba +- do_cmd "0" delete allow 22 ++ do_cmd "0" delete allow 13 + do_cmd "0" delete allow from any to any app Samba + do_cmd "0" delete allow from 192.168.0.1 to 10.0.0.1 app Samba + do_cmd "0" delete allow from 192.168.0.1 to any app Samba +@@ -258,7 +258,7 @@ do + + do_cmd "0" nostats allow from any app Samba + do_cmd "0" nostats allow Samba +- do_cmd "0" nostats allow 22/tcp ++ do_cmd "0" nostats allow 13/tcp + + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + if [ "$ipv6" = "yes" ]; then +@@ -267,16 +267,16 @@ do + + if [ "$ipv6" = "yes" ]; then + do_cmd "0" null --force delete 6 +- grep -v -q "^### tuple ### allow any 22 " $TESTSTATE/user6.rules || { +- echo "Failed: Found port '22' in user6.rules" >> $TESTTMP/result ++ grep -v -q "^### tuple ### allow any 13 " $TESTSTATE/user6.rules || { ++ echo "Failed: Found port '13' in user6.rules" >> $TESTTMP/result + exit 1 + } + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + fi + + do_cmd "0" null --force delete 3 +- grep -v -q "^### tuple ### allow any 22 " $TESTSTATE/user.rules || { +- echo "Failed: Found port '22' in user.rules" >> $TESTTMP/result ++ grep -v -q "^### tuple ### allow any 13 " $TESTSTATE/user.rules || { ++ echo "Failed: Found port '13' in user.rules" >> $TESTTMP/result + exit 1 + } + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +diff --git a/tests/root/valid/result b/tests/root/valid/result +index 320a728..752b6f2 100644 +--- a/tests/root/valid/result ++++ b/tests/root/valid/result +@@ -215,7 +215,7 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-26: limit 22/tcp ++26: limit 13/tcp + WARN: Checks disabled + Rules updated + +@@ -233,9 +233,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 27: deny 53 + WARN: Checks disabled + Rules updated +@@ -254,9 +254,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 28: allow 80/tcp + WARN: Checks disabled + Rules updated +@@ -275,9 +275,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 29: allow from 10.0.0.0/8 + WARN: Checks disabled + Rules updated +@@ -296,9 +296,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -321,9 +321,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -349,9 +349,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -380,9 +380,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -414,9 +414,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -451,9 +451,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -483,7 +483,7 @@ WARN: Checks disabled + Rules updated + + +-37: delete limit 22/tcp ++37: delete limit 13/tcp + WARN: Checks disabled + Rules updated + +@@ -659,41 +659,41 @@ WARN: Checks disabled + Rules updated + + +-66: allow ssh ++66: allow daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT +-67: delete allow ssh ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT ++67: delete allow daytime + WARN: Checks disabled + Rules updated + + +-68: allow ssh/tcp ++68: allow daytime/tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + +-69: delete allow ssh/tcp ++69: delete allow daytime/tcp + WARN: Checks disabled + Rules updated + + +-70: allow ssh/udp ++70: allow daytime/udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + +-71: delete allow ssh/udp ++71: delete allow daytime/udp + WARN: Checks disabled + Rules updated + +@@ -1679,28 +1679,28 @@ WARN: Checks disabled + Rules updated + + +-219: allow to any port smtp from any port ssh ++219: allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 25 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-220: delete allow to any port smtp from any port ssh ++220: delete allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + + +-221: allow to any port ssh from any port smtp ++221: allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 25 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 25 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-222: delete allow to any port ssh from any port smtp ++222: delete allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + +@@ -1744,28 +1744,28 @@ WARN: Checks disabled + Rules updated + + +-229: allow to any port tftp from any port ssh ++229: allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 69 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-230: delete allow to any port tftp from any port ssh ++230: delete allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + + +-231: allow to any port ssh from any port tftp ++231: allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 69 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 69 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-232: delete allow to any port ssh from any port tftp ++232: delete allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + +@@ -1796,41 +1796,41 @@ WARN: Checks disabled + Rules updated + + +-237: allow to any port ssh from any port 23 ++237: allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 23 -j ACCEPT +--A ufw-user-input -p udp --dport 22 --sport 23 -j ACCEPT +-238: delete allow to any port ssh from any port 23 ++### tuple ### allow any 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 23 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 --sport 23 -j ACCEPT ++238: delete allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + + +-239: allow to any port 23 from any port ssh ++239: allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 23 --sport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 23 --sport 22 -j ACCEPT +-240: delete allow to any port 23 from any port ssh ++### tuple ### allow any 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 23 --sport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 23 --sport 13 -j ACCEPT ++240: delete allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + + +-241: allow to any port ssh from any port domain ++241: allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 53 -j ACCEPT +--A ufw-user-input -p udp --dport 22 --sport 53 -j ACCEPT +-242: delete allow to any port ssh from any port domain ++### tuple ### allow any 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 53 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 --sport 53 -j ACCEPT ++242: delete allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + +@@ -1848,28 +1848,28 @@ WARN: Checks disabled + Rules updated + + +-245: allow to any port smtp from any port ssh proto tcp ++245: allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 25 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-246: delete allow to any port smtp from any port ssh proto tcp ++246: delete allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-247: allow to any port ssh from any port smtp proto tcp ++247: allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 25 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 25 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-248: delete allow to any port ssh from any port smtp proto tcp ++248: delete allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + +@@ -1913,28 +1913,28 @@ WARN: Checks disabled + Rules updated + + +-255: allow to any port tftp from any port ssh proto udp ++255: allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 69 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-256: delete allow to any port tftp from any port ssh proto udp ++256: delete allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-257: allow to any port ssh from any port tftp proto udp ++257: allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 69 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 69 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-258: delete allow to any port ssh from any port tftp proto udp ++258: delete allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + +@@ -1965,80 +1965,80 @@ WARN: Checks disabled + Rules updated + + +-263: allow to any port ssh from any port 23 proto tcp ++263: allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 23 -j ACCEPT + +-264: delete allow to any port ssh from any port 23 proto tcp ++264: delete allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + + +-265: allow to any port 23 from any port ssh proto tcp ++265: allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow tcp 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 23 --sport 13 -j ACCEPT + +-266: delete allow to any port 23 from any port ssh proto tcp ++266: delete allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-267: allow to any port ssh from any port domain proto tcp ++267: allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 53 -j ACCEPT + +-268: delete allow to any port ssh from any port domain proto tcp ++268: delete allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + + +-269: allow to any port ssh from any port 23 proto udp ++269: allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 23 -j ACCEPT + +-270: delete allow to any port ssh from any port 23 proto udp ++270: delete allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + + +-271: allow to any port 23 from any port ssh proto udp ++271: allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow udp 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 23 --sport 13 -j ACCEPT + +-272: delete allow to any port 23 from any port ssh proto udp ++272: delete allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-273: allow to any port ssh from any port domain proto udp ++273: allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 53 -j ACCEPT + +-274: delete allow to any port ssh from any port domain proto udp ++274: delete allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + +@@ -2196,41 +2196,41 @@ WARN: Checks disabled + Rules updated + + +-297: allow to 192.168.0.1 port 80:83,22 proto tcp ++297: allow to 192.168.0.1 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22,80:83 192.168.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 22,80:83 -d 192.168.0.1 -j ACCEPT ++### tuple ### allow tcp 13,80:83 192.168.0.1 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp -m multiport --dports 13,80:83 -d 192.168.0.1 -j ACCEPT + +-298: delete allow to 192.168.0.1 port 80:83,22 proto tcp ++298: delete allow to 192.168.0.1 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated + + +-299: allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++299: allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 192.168.0.2 35:39 192.168.0.1 in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 35:39 -d 192.168.0.2 -s 192.168.0.1 -j ACCEPT ++### tuple ### allow tcp 13 192.168.0.2 35:39 192.168.0.1 in ++-A ufw-user-input -p tcp -m multiport --dports 13 -m multiport --sports 35:39 -d 192.168.0.2 -s 192.168.0.1 -j ACCEPT + +-300: delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++300: delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + WARN: Checks disabled + Rules updated + + +-301: allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++301: allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 24:26 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 24:26 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-302: delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++302: delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + +@@ -2274,15 +2274,15 @@ WARN: Checks disabled + Rules updated + + +-309: deny 23,21,15:19,22/udp ++309: deny 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + + +-### tuple ### deny udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j DROP ++### tuple ### deny udp 13,15:19,21,23 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -j DROP + +-310: delete deny 23,21,15:19,22/udp ++310: delete deny 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + +diff --git a/tests/root/valid/runtest.sh b/tests/root/valid/runtest.sh +index aa03d99..feeacba 100755 +--- a/tests/root/valid/runtest.sh ++++ b/tests/root/valid/runtest.sh +@@ -76,7 +76,7 @@ do_cmd "0" deny to any port 80 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" deny from 10.0.0.0/8 to 192.168.0.1 port 25 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" limit 22/tcp ++do_cmd "0" limit 13/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" deny 53 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -97,7 +97,7 @@ grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + do_cmd "0" delete allow 25/tcp + do_cmd "0" delete deny from 10.0.0.0/8 to 192.168.0.1 port 25 proto tcp +-do_cmd "0" delete limit 22/tcp ++do_cmd "0" delete limit 13/tcp + do_cmd "0" delete deny 53 + do_cmd "0" delete allow 80/tcp + do_cmd "0" delete allow from 10.0.0.0/8 +@@ -160,19 +160,19 @@ grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow tftp/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh ++do_cmd "0" allow daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh ++do_cmd "0" delete allow daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh/tcp ++do_cmd "0" allow daytime/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh/tcp ++do_cmd "0" delete allow daytime/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh/udp ++do_cmd "0" allow daytime/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh/udp ++do_cmd "0" delete allow daytime/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + +@@ -250,13 +250,13 @@ do_cmd "0" allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh ++do_cmd "0" allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh ++do_cmd "0" delete allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp ++do_cmd "0" allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp ++do_cmd "0" delete allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -270,13 +270,13 @@ do_cmd "0" allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh ++do_cmd "0" allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh ++do_cmd "0" delete allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp ++do_cmd "0" allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp ++do_cmd "0" delete allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -286,30 +286,30 @@ do_cmd "0" allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 ++do_cmd "0" allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 ++do_cmd "0" delete allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh ++do_cmd "0" allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh ++do_cmd "0" delete allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain ++do_cmd "0" allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain ++do_cmd "0" delete allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + do_cmd "0" allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh proto tcp ++do_cmd "0" allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh proto tcp ++do_cmd "0" delete allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp proto tcp ++do_cmd "0" allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp proto tcp ++do_cmd "0" delete allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -323,13 +323,13 @@ do_cmd "0" allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh proto udp ++do_cmd "0" allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh proto udp ++do_cmd "0" delete allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp proto udp ++do_cmd "0" allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp proto udp ++do_cmd "0" delete allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -339,29 +339,29 @@ do_cmd "0" allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto tcp ++do_cmd "0" allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto tcp ++do_cmd "0" delete allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto tcp ++do_cmd "0" allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto tcp ++do_cmd "0" delete allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto tcp ++do_cmd "0" allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto tcp ++do_cmd "0" delete allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto udp ++do_cmd "0" allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto udp ++do_cmd "0" delete allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto udp ++do_cmd "0" allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto udp ++do_cmd "0" delete allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto udp ++do_cmd "0" allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto udp ++do_cmd "0" delete allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + echo "TESTING NETMASK" >> $TESTTMP/result +@@ -413,17 +413,17 @@ do_cmd "0" allow to 192.168.0.1 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to 192.168.0.1 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to 192.168.0.1 port 80:83,22 proto tcp ++do_cmd "0" allow to 192.168.0.1 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to 192.168.0.1 port 80:83,22 proto tcp ++do_cmd "0" delete allow to 192.168.0.1 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++do_cmd "0" allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++do_cmd "0" delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow 34,35/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -437,9 +437,9 @@ do_cmd "0" deny 35:39/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete deny 35:39/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" deny 23,21,15:19,22/udp ++do_cmd "0" deny 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete deny 23,21,15:19,22/udp ++do_cmd "0" delete deny 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + cleanup +diff --git a/tests/root/valid6/result b/tests/root/valid6/result +index 74fcd86..f568a2f 100644 +--- a/tests/root/valid6/result ++++ b/tests/root/valid6/result +@@ -1049,31 +1049,31 @@ Rules updated + Rules updated (v6) + + +-164: allow to any port smtp from any port ssh ++164: allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 25 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-165: delete allow to any port smtp from any port ssh ++165: delete allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-166: allow to any port ssh from any port smtp ++166: allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 25 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 25 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-167: delete allow to any port ssh from any port smtp ++167: delete allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1124,31 +1124,31 @@ Rules updated + Rules updated (v6) + + +-174: allow to any port tftp from any port ssh ++174: allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 69 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-175: delete allow to any port tftp from any port ssh ++175: delete allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-176: allow to any port ssh from any port tftp ++176: allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 69 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 ::/0 69 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-177: delete allow to any port ssh from any port tftp ++177: delete allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1184,46 +1184,46 @@ Rules updated + Rules updated (v6) + + +-182: allow to any port ssh from any port 23 ++182: allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 22 ::/0 23 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 23 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 --sport 23 -j ACCEPT +-183: delete allow to any port ssh from any port 23 ++### tuple ### allow any 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 23 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 --sport 23 -j ACCEPT ++183: delete allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-184: allow to any port 23 from any port ssh ++184: allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 23 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 23 --sport 22 -j ACCEPT +--A ufw6-user-input -p udp --dport 23 --sport 22 -j ACCEPT +-185: delete allow to any port 23 from any port ssh ++### tuple ### allow any 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 23 --sport 13 -j ACCEPT ++-A ufw6-user-input -p udp --dport 23 --sport 13 -j ACCEPT ++185: delete allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-186: allow to any port ssh from any port domain ++186: allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 22 ::/0 53 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 53 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 --sport 53 -j ACCEPT +-187: delete allow to any port ssh from any port domain ++### tuple ### allow any 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 53 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 --sport 53 -j ACCEPT ++187: delete allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1244,31 +1244,31 @@ Rules updated + Rules updated (v6) + + +-190: allow to any port smtp from any port ssh proto tcp ++190: allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 25 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-191: delete allow to any port smtp from any port ssh proto tcp ++191: delete allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-192: allow to any port ssh from any port smtp proto tcp ++192: allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 25 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 25 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-193: delete allow to any port ssh from any port smtp proto tcp ++193: delete allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1319,31 +1319,31 @@ Rules updated + Rules updated (v6) + + +-200: allow to any port tftp from any port ssh proto udp ++200: allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 69 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-201: delete allow to any port tftp from any port ssh proto udp ++201: delete allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-202: allow to any port ssh from any port tftp proto udp ++202: allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 69 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 ::/0 69 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-203: delete allow to any port ssh from any port tftp proto udp ++203: delete allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1379,91 +1379,91 @@ Rules updated + Rules updated (v6) + + +-208: allow to any port ssh from any port 23 proto tcp ++208: allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 23 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 23 -j ACCEPT + +-209: delete allow to any port ssh from any port 23 proto tcp ++209: delete allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-210: allow to any port 23 from any port ssh proto tcp ++210: allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 23 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow tcp 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 23 --sport 13 -j ACCEPT + +-211: delete allow to any port 23 from any port ssh proto tcp ++211: delete allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-212: allow to any port ssh from any port domain proto tcp ++212: allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 53 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 53 -j ACCEPT + +-213: delete allow to any port ssh from any port domain proto tcp ++213: delete allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-214: allow to any port ssh from any port 23 proto udp ++214: allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 23 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow udp 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 23 -j ACCEPT + +-215: delete allow to any port ssh from any port 23 proto udp ++215: delete allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-216: allow to any port 23 from any port ssh proto udp ++216: allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 23 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow udp 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 23 --sport 13 -j ACCEPT + +-217: delete allow to any port 23 from any port ssh proto udp ++217: delete allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-218: allow to any port ssh from any port domain proto udp ++218: allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 53 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow udp 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 53 -j ACCEPT + +-219: delete allow to any port ssh from any port domain proto udp ++219: delete allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1575,63 +1575,63 @@ WARN: Checks disabled + Rules updated (v6) + + +-236: allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++236: allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-### tuple ### allow tcp 22,80:83 2001:db8:85a3:8d3:1319:8a2e:370:7341 any ::/0 in +--A ufw6-user-input -p tcp -m multiport --dports 22,80:83 -d 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT ++### tuple ### allow tcp 13,80:83 2001:db8:85a3:8d3:1319:8a2e:370:7341 any ::/0 in ++-A ufw6-user-input -p tcp -m multiport --dports 13,80:83 -d 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT + +-237: delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++237: delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-238: allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++238: allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-### tuple ### allow tcp 22 2001:db8:85a3:8d3:1319:8a2e:370:7342 35:39 2001:db8:85a3:8d3:1319:8a2e:370:7341 in +--A ufw6-user-input -p tcp -m multiport --dports 22 -m multiport --sports 35:39 -d 2001:db8:85a3:8d3:1319:8a2e:370:7342 -s 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT ++### tuple ### allow tcp 13 2001:db8:85a3:8d3:1319:8a2e:370:7342 35:39 2001:db8:85a3:8d3:1319:8a2e:370:7341 in ++-A ufw6-user-input -p tcp -m multiport --dports 13 -m multiport --sports 35:39 -d 2001:db8:85a3:8d3:1319:8a2e:370:7342 -s 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT + +-239: delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++239: delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-240: allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++240: allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 24:26 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 24:26 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-### tuple ### allow udp 15:19,21,22,23 ::/0 24:26 ::/0 in +--A ufw6-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 ::/0 24:26 ::/0 in ++-A ufw6-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-241: delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++241: delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-242: allow 23,21,15:19,22/udp ++242: allow 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -j ACCEPT + +-### tuple ### allow udp 15:19,21,22,23 ::/0 any ::/0 in +--A ufw6-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 ::/0 any ::/0 in ++-A ufw6-user-input -p udp -m multiport --dports 13,15:19,21,23 -j ACCEPT + +-243: delete allow 23,21,15:19,22/udp ++243: delete allow 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +diff --git a/tests/root/valid6/runtest.sh b/tests/root/valid6/runtest.sh +index 1695dd1..d08e6f3 100755 +--- a/tests/root/valid6/runtest.sh ++++ b/tests/root/valid6/runtest.sh +@@ -154,13 +154,13 @@ do_cmd "0" allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh ++do_cmd "0" allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh ++do_cmd "0" delete allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp ++do_cmd "0" allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp ++do_cmd "0" delete allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -174,13 +174,13 @@ do_cmd "0" allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh ++do_cmd "0" allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh ++do_cmd "0" delete allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp ++do_cmd "0" allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp ++do_cmd "0" delete allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -190,30 +190,30 @@ do_cmd "0" allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 ++do_cmd "0" allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 ++do_cmd "0" delete allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh ++do_cmd "0" allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh ++do_cmd "0" delete allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain ++do_cmd "0" allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain ++do_cmd "0" delete allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + + do_cmd "0" allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh proto tcp ++do_cmd "0" allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh proto tcp ++do_cmd "0" delete allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp proto tcp ++do_cmd "0" allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp proto tcp ++do_cmd "0" delete allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -227,13 +227,13 @@ do_cmd "0" allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh proto udp ++do_cmd "0" allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh proto udp ++do_cmd "0" delete allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp proto udp ++do_cmd "0" allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp proto udp ++do_cmd "0" delete allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -243,29 +243,29 @@ do_cmd "0" allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto tcp ++do_cmd "0" allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto tcp ++do_cmd "0" delete allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto tcp ++do_cmd "0" allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto tcp ++do_cmd "0" delete allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto tcp ++do_cmd "0" allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto tcp ++do_cmd "0" delete allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto udp ++do_cmd "0" allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto udp ++do_cmd "0" delete allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto udp ++do_cmd "0" allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto udp ++do_cmd "0" delete allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto udp ++do_cmd "0" allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto udp ++do_cmd "0" delete allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + + echo "TESTING NETMASK" >> $TESTTMP/result +@@ -303,24 +303,24 @@ do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++do_cmd "0" allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++do_cmd "0" delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow 23,21,15:19,22/udp ++do_cmd "0" allow 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow 23,21,15:19,22/udp ++do_cmd "0" delete allow 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch new file mode 100644 index 0000000000..f9c387a451 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch @@ -0,0 +1,106 @@ +empty our IPT_MODULES and update documentation + +empty out IPT_MODULES and update documentation regarding modern use of +connection tracking modules. + +Patch from git://git.launchpad.net/ufw +Commit aefb842b73726c245157096fb8992c3e82833147 + +Written by Jamie Strandboge <jamie@ubuntu.com> + +Merged patch so they applied to 0.33 with missing code. Unit tests are not +in this version. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + + +diff --git a/conf/ufw.defaults b/conf/ufw.defaults +index 330ad88..b3eba8f 100644 +--- a/conf/ufw.defaults ++++ b/conf/ufw.defaults +@@ -34,12 +34,13 @@ MANAGE_BUILTINS=no + # only enable if using iptables backend + IPT_SYSCTL=#CONFIG_PREFIX#/ufw/sysctl.conf + +-# Extra connection tracking modules to load. Complete list can be found in +-# net/netfilter/Kconfig of your kernel source. Some common modules: ++# Extra connection tracking modules to load. IPT_MODULES should typically be ++# empty for new installations and modules added only as needed. See ++# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can ++# be found in net/netfilter/Kconfig of your kernel source. Some common modules: + # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support + # nf_conntrack_netbios_ns: NetBIOS (samba) client support + # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT + # nf_conntrack_ftp, nf_nat_ftp: active FTP support + # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) +-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" +- ++IPT_MODULES="" + +diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 +index eef28e1..97dc8c5 100644 +--- a/doc/ufw-framework.8 ++++ b/doc/ufw-framework.8 +@@ -115,5 +115,10 @@ IPT_MODULES in #CONFIG_PREFIX#/default/ufw. Some popular modules to load are: + nf_conntrack_tftp + nf_nat_tftp ++.PP ++Unconditional loading of connection tracking modules (nf_conntrack_*) in this ++manner is deprecated. \fBufw\fR continues to support the functionality but new ++configuration should only contain the specific modules required for the site. ++For more information, see CONNECTION HELPERS. + + .SH "KERNEL PARAMETERS" + .PP +@@ 240,5 +245,50 @@ Add the necessary \fBufw\fR rules: + # ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp + ++.SH "CONNECTION HELPERS" ++.PP ++Various protocols require the use of netfilter connection tracking helpers to ++group related packets into RELATED flows to make rulesets clearer and more ++precise. For example, with a couple of kernel modules and a couple of rules, a ++ruleset could simply allow a connection to FTP port 21, then the kernel would ++examine the traffic and mark the other FTP data packets as RELATED to the ++initial connection. ++.PP ++When the helpers were first introduced, one could only configure the modules as ++part of module load (eg, if your FTP server listened on a different port than ++21, you'd have to load the nf_conntrack_ftp module specifying the correct ++port). Over time it was understood that unconditionally using connection ++helpers could lead to abuse, in part because some protocols allow user ++specified data that would allow traversing the firewall in undesired ways. As ++of kernel 4.7, automatic conntrack helper assignment (ie, handling packets for ++a given port and all IP addresses) is disabled (the old behavior can be ++restored by setting net/netfilter/nf_conntrack_helper=1 in ++#CONFIG_PREFIX#/ufw/sysctl.conf). Firewalls should now instead use the CT ++target to associate traffic with a particular helper and then set RELATED rules ++to use the helper. This allows sites to tailor the use of helpers and help ++avoid abuse. ++.PP ++In general, to use helpers securely, the following needs to happen: ++.IP 1. ++net/netfilter/nf_conntrack_helper should be set to 0 (default) ++.IP 2. ++create a rule for the start of a connection (eg for FTP, port 21) ++.IP 3. ++create a helper rule to associate the helper with this connection ++.IP 4. ++create a helper rule to associate a RELATED flow with this connection ++.IP 5. ++if needed, add the corresponding nf_conntrack_* module to IPT_MODULES ++.IP 6. ++optionally add the corresponding nf_nat_* module to IPT_MODULES ++.PP ++In general it is desirable to make connection helper rules as specific as ++possible and ensure anti\-spoofing is correctly setup for your site to avoid ++security issues in your ruleset. For more information, see ANTI\-SPOOFING, ++above, and <https://home.regit.org/netfilter-en/secure-use-of-helpers/>. ++.PP ++Currently helper rules must be managed in via the RULES FILES. A future version ++of \fBufw\fR will introduce syntax for working with helper rules. ++ + .SH SEE ALSO + .PP + \fBufw\fR(8), \fBiptables\fR(8), \fBip6tables\fR(8), \fBiptables\-restore\fR(8), \fBip6tables\-restore\fR(8), \fBsysctl\fR(8), \fBsysctl.conf\fR(5) diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch b/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch new file mode 100644 index 0000000000..ea48c83b84 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch @@ -0,0 +1,33 @@ +tests/check-requirements: simplify and support python 3.8 + +Written by: Jamie Strandboge <jamie@ubuntu.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id e30f8bc2aeb317d152e74a270a8e1336de06cee6 + +Upstream-Status: Backport + +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/tests/check-requirements b/tests/check-requirements +index e873703..82fab08 100755 +--- a/tests/check-requirements ++++ b/tests/check-requirements +@@ -45,7 +45,7 @@ runcmd() { + # check python + found_python="no" + echo -n "Has python: " +-for exe in python2.7 python2.6 python2.5 python3.2 python; do ++for exe in python3 python2 python; do + if ! which $exe >/dev/null 2>&1; then + continue + fi +@@ -54,7 +54,7 @@ for exe in python2.7 python2.6 python2.5 python3.2 python; do + echo "pass (binary: $exe, version: $v, py2)" + found_python="yes" + break +- elif echo "$v" | grep -q "^3.[2]"; then ++ elif echo "$v" | grep -q "^3.[2-8]"; then + echo "pass (binary: $exe, version: $v, py3)" + found_python="yes" + break diff --git a/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch b/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch new file mode 100644 index 0000000000..e1fcf0ca56 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch @@ -0,0 +1,33 @@ +Add code to detect openembedded python interpreter + +OE does not use /usr/bin/env as part of the interpreter, Instead, it's a +full path in sys.executable. + +Upstream-Status: Inappropriate (Embedded) +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> +--- + setup.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/setup.py b/setup.py +index 75c1105..3f9a5e0 100644 +--- a/setup.py ++++ b/setup.py +@@ -128,6 +128,14 @@ class Install(_install, object): + "-i.jjm", + "1s%^#.*python.*%#! " + sys.executable + "%g", + 'staging/ufw']) ++ elif '/python' in sys.executable and \ ++ os.path.basename(sys.executable) in ['python', 'python3']: ++ print("Detected full path " + sys.executable + ". substituting " + os.path.basename(sys.executable)) ++ subprocess.call(["sed", ++ "-i.jjm", ++ "1s%python$%" ++ + os.path.basename(sys.executable) + "%g", ++ 'staging/ufw']) + + self.copy_file('staging/ufw', script) + self.copy_file('doc/ufw.8', manpage) +-- +2.7.4 + diff --git a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb index 42fc262589..856270cd5c 100644 --- a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb +++ b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb @@ -16,6 +16,13 @@ SRC_URI = " \ file://0003-fix-typeerror-on-error.patch \ file://0004-lp1039729.patch \ file://0005-lp1191197.patch \ + file://0006-check-requirements-get-error.patch \ + file://0007-use-conntrack-instead-of-state-module.patch \ + file://0008-support-.-setup.py-build-LP-819600.patch \ + file://0009-adjust-runtime-tests-to-use-daytime-port.patch \ + file://0010-empty-out-IPT_MODULES-and-update-documentation.patch \ + file://0011-tests-check-requirements--simplify-and-support-python-3.8.patch \ + file://Add-code-to-detect-openembedded-python-interpreter.patch \ " UPSTREAM_CHECK_URI = "https://launchpad.net/ufw" @@ -25,6 +32,17 @@ SRC_URI[sha256sum] = "5f85a8084ad3539b547bec097286948233188c971f498890316dec170b inherit setuptools3 features_check +do_install_append() { + install -d ${D}${datadir}/${PN}/test + cp -R --no-dereference --preserve=mode,links -v ${S}/* ${D}${datadir}/${PN}/test +} +PACKAGES =+ "${PN}-test" +RDEPENDS_${PN}-test += "bash" +FILES_${PN}-test += "${datadir}/${PN}/test" + +# To test, install ufw-test package. You can enter /usr/share/ufw/test and run as root: +# PYTHONPATH=tests/testarea/lib/python ./run_tests.sh -s -i python3 root + RDEPENDS_${PN} = " \ iptables \ python3 \ @@ -33,14 +51,35 @@ RDEPENDS_${PN} = " \ RRECOMMENDS_${PN} = " \ kernel-module-ipv6 \ - kernel-module-nf-conntrack-ipv6 \ + kernel-module-ipt-reject \ + kernel-module-iptable-mangle \ + kernel-module-iptable-raw \ + kernel-module-ip6table-raw \ + kernel-module-ip6t-reject \ + kernel-module-ip6t-rt \ + kernel-module-ip6table-mangle \ + kernel-module-nf-conntrack \ kernel-module-nf-log-common \ + kernel-module-nf-conntrack-broadcast \ + kernel-module-nf-conntrack-ftp \ + kernel-module-nf-conntrack-netbios-ns \ + kernel-module-nf-log-ipv4 \ + kernel-module-nf-log-ipv6 \ kernel-module-nf-log-ipv4 \ kernel-module-nf-log-ipv6 \ - kernel-module-nf-addrtype \ - kernel-module-nf-limit \ - kernel-module-nf-log \ - kernel-module-nf-recent \ + kernel-module-nf-nat-ftp \ + kernel-module-xt-addrtype \ + kernel-module-xt-comment \ + kernel-module-xt-conntrack \ + kernel-module-xt-hashlimit \ + kernel-module-xt-hl \ + kernel-module-xt-multiport \ + kernel-module-xt-ratetest \ + kernel-module-xt-socket \ + kernel-module-xt-tcpudp \ + kernel-module-xt-limit \ + kernel-module-xt-log \ + kernel-module-xt-recent \ " # Certain items are explicitly put under /lib, not base_libdir when installed. diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb index 54e855a099..5d968f1476 100644 --- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb +++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb @@ -9,7 +9,7 @@ DEPENDS += "libgcrypt" PV .= "r550-2jnpr1" SRCREV = "b1243d29e0c00312ead038b04a2cf5e2fa31d740" -SRC_URI = "git://github.com/ndpgroup/vpnc \ +SRC_URI = "git://github.com/ndpgroup/vpnc;branch=master;protocol=https \ file://long-help \ file://default.conf \ file://0001-search-for-log-help-in-build-dir.patch \ diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb index db7b0d486b..b9c545e155 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" PROVIDES += "cyassl" RPROVIDES_${PN} = "cyassl" -SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https" +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master" SRCREV = "e116c89a58af750421d82ece13f80516d2bde02e" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch new file mode 100644 index 0000000000..88794aa7ab --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch @@ -0,0 +1,111 @@ +From d255bf90834fb45be52decf9bc0b4fb46c90f205 Mon Sep 17 00:00:00 2001 +From: Martin Dummer <md11@users.sourceforge.net> +Date: Sun, 12 Sep 2021 22:52:26 +0200 +Subject: [PATCH] fix buffer overflow in atftpd + +Andreas B. Mundt <andi@debian.org> reports: + +I've found a problem in atftpd that might be relevant for security. +The daemon can be crashed by any client sending a crafted combination +of TFTP options to the server. As TFTP is usually only used in the LAN, +it's probably not too dramatic. + +Observations and how to reproduce the issue +=========================================== + +Install bullseye packages and prepare tftp-root: + sudo apt install atftp atftpd + mkdir tmp + touch tmp/file.txt + +Run server: + /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \ + --logfile=/dev/stdout --verbose=7 --port 2000 tmp + +Fetch file from client: + /usr/bin/atftp -g --trace --option "blksize 8" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Crash server by adding another option to the tiny blksize: + /usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Analysis +======== + +The reason for the crash is a buffer overflow. The size of the buffer keeping the data +to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode +and block number). However, the same buffer is used for the OACK, which for a blksize=8 +overflows as soon as another option is set. + +Signed-off-by: Martin Dummer <md11@users.sourceforge.net> + +CVE: CVE-2021-41054 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/d255bf90834fb45be52decf9bc0b4fb46c90f205.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + tftpd_file.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/tftpd_file.c b/tftpd_file.c +index ff40e8d..37a0906 100644 +--- a/tftpd_file.c ++++ b/tftpd_file.c +@@ -168,11 +168,24 @@ int tftpd_receive_file(struct thread_data *data) + logger(LOG_DEBUG, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +@@ -531,11 +544,24 @@ int tftpd_send_file(struct thread_data *data) + logger(LOG_INFO, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch new file mode 100644 index 0000000000..310728aaca --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch @@ -0,0 +1,48 @@ +From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001 +From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de> +Date: Wed, 10 Jan 2018 17:01:20 +0100 +Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array + +This properly fixes what commit:b3e36dd tried to do. + +CVE: CVE-2021-46671 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + options.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/options.c b/options.c +index ee419c6..c716994 100644 +--- a/options.c ++++ b/options.c +@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - requests always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + /* read filename */ + entry = argz_next(tftp_data->th_stuff, size, entry); + if (!entry) +@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - options always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) + { + tmp = entry; +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb index ff9084dbf6..32b776e578 100644 --- a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb +++ b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb @@ -6,9 +6,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "52b71f0831dcbde508bd3a961d84abb80a62480f" -SRC_URI = "git://git.code.sf.net/p/atftp/code \ +SRC_URI = "git://git.code.sf.net/p/atftp/code;branch=master \ file://atftpd.init \ file://atftpd.service \ + file://0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch \ + file://0001-fix-buffer-overflow-in-atftpd.patch \ " SRC_URI_append_libc-musl = " file://0001-argz.h-fix-musl-compile-add-missing-defines.patch \ file://0002-tftp.h-tftpd.h-fix-musl-compile-missing-include.patch \ diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 0000000000..0ddea03c69 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index d55dc4ab7e..3e7056d67d 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396" SRCREV = "e41cfb986c1b1935770de554872247453fdbb079" -SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ +SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \ file://avoid-to-call-AC_TRY_RUN.patch \ file://Fix-hardcoded-libdir.patch \ file://debian_patches_0014_avoid_pic_overwrite.diff \ @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \ file://0001-makeinit.sh-fix-parallel-build-issue.patch \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" @@ -96,3 +97,6 @@ FILES_${PN}-dbg += "${libdir}/sasl2/.debug" FILES_${PN}-staticdev += "${libdir}/sasl2/*.a" INSANE_SKIP_${PN} += "dev-so" + +# CVE-2020-8032 affects only openSUSE +CVE_CHECK_WHITELIST += "CVE-2020-8032" diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb index 4a9cf9db40..7cf8cfa94c 100644 --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRCREV ?= "34e3ffb194f6fa3028c0eb2ff57e7db2d1026771" -SRC_URI = "git://github.com/open-iscsi/open-iscsi \ +SRC_URI = "git://github.com/open-iscsi/open-iscsi;branch=master;protocol=https \ file://0001-Makefile-Do-not-set-Werror.patch \ file://initd.debian \ file://99_iscsi-initiator-utils \ diff --git a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb index 61d656b7ca..d5296f6a96 100644 --- a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb +++ b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb @@ -13,7 +13,7 @@ RDEPENDS_${PN} = "python3-pygobject python3-dbus" REQUIRED_DISTRO_FEATURES = "systemd" SRCREV = "333ef1ed1d7c7c17264fcf7629e5c2f78ab4112c" -SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https" +SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch new file mode 100644 index 0000000000..b6ec8c70df --- /dev/null +++ b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch @@ -0,0 +1,46 @@ +From 1f25dae3f38548bad32c5a3ebee4c07938d8c1b8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Thu, 30 Dec 2021 10:35:57 +0800 +Subject: [PATCH] fix build with glibc 2.34 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The closefrom() function which is introduced in glibc 2.34 conflicts +with the one provided by postfix. + +Fixes: +| In file included from attr_clnt.c:88: +| /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’ +| 363 | extern void closefrom (int __lowfd) __THROW; +| | ^~~~~~~~~ +| In file included from attr_clnt.c:87: +| ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’ +| 1506 | extern int closefrom(int); +| | ^~~~~~~~~ + +Upstream-Status: Backport +[https://github.com/vdukhovni/postfix/commit/3d966d3bd5f95b2c918aefb864549fa9f0442e24] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/util/sys_defs.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h +index 39daa16..5de5855 100644 +--- a/src/util/sys_defs.h ++++ b/src/util/sys_defs.h +@@ -827,6 +827,9 @@ extern int initgroups(const char *, int); + #define HAVE_POSIX_GETPW_R + #endif + #endif ++#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34) ++#define HAS_CLOSEFROM ++#endif + + #endif + +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb index db5b41bfbd..2612e12be4 100644 --- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb +++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb @@ -13,6 +13,7 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P file://postfix-install.patch \ file://icu-config.patch \ file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \ + file://0001-fix-build-with-glibc-2.34.patch \ " -SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec" -UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz" +SRC_URI[sha256sum] = "5f71658546d9b65863249dec3a189d084ea0596e23dc4613c579ad3ae75b10d2" +UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz" diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch new file mode 100644 index 0000000000..712d5db07d --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch @@ -0,0 +1,51 @@ +From ed31fe2cbd5b8b1148b467f84f7acea66fa43bb8 Mon Sep 17 00:00:00 2001 +From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com> +Date: Tue, 3 Aug 2021 21:53:28 +0200 +Subject: [PATCH] CVE-2021-46854 + +mod_radius: copy _only_ the password + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43] +CVE: CVE-2021-46854 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + contrib/mod_radius.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c +index b56cdfe..f234dd5 100644 +--- a/contrib/mod_radius.c ++++ b/contrib/mod_radius.c +@@ -2319,21 +2319,26 @@ static void radius_add_passwd(radius_packet_t *packet, unsigned char type, + + pwlen = strlen((const char *) passwd); + ++ /* Clear the buffers. */ ++ memset(pwhash, '\0', sizeof(pwhash)); ++ + if (pwlen == 0) { + pwlen = RADIUS_PASSWD_LEN; + + } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) { ++ /* pwlen is not a multiple of RADIUS_PASSWD_LEN, need to prepare a proper buffer */ ++ memcpy(pwhash, passwd, pwlen); + + /* Round up the length. */ + pwlen += (RADIUS_PASSWD_LEN - 1); + + /* Truncate the length, as necessary. */ + pwlen &= ~(RADIUS_PASSWD_LEN - 1); ++ } else { ++ /* pwlen is a multiple of RADIUS_PASSWD_LEN, we can just use it. */ ++ memcpy(pwhash, passwd, pwlen); + } + +- /* Clear the buffers. */ +- memset(pwhash, '\0', sizeof(pwhash)); +- memcpy(pwhash, passwd, pwlen); + + /* Find the password attribute. */ + attrib = radius_get_attrib(packet, RADIUS_PASSWORD); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch new file mode 100644 index 0000000000..12f6948075 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch @@ -0,0 +1,278 @@ +From 97bbe68363ccf2de0c07f67170ec64a8b4d62592 Mon Sep 17 00:00:00 2001 +From: TJ Saunders <tj@castaglia.org> +Date: Sun, 6 Aug 2023 13:16:26 -0700 +Subject: [PATCH] Issue #1683: Avoid an edge case when handling unexpectedly + formatted input text from client, caused by quote/backslash semantics, by + skipping those semantics. + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592] +CVE: CVE-2023-51713 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/str.h | 3 ++- + src/main.c | 35 +++++++++++++++++++++++++++++----- + src/str.c | 22 +++++++++++++--------- + tests/api/str.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 94 insertions(+), 16 deletions(-) + +diff --git a/include/str.h b/include/str.h +index 316a32a..049a1b2 100644 +--- a/include/str.h ++++ b/include/str.h +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -121,6 +121,7 @@ const char *pr_gid2str(pool *, gid_t); + #define PR_STR_FL_PRESERVE_COMMENTS 0x0001 + #define PR_STR_FL_PRESERVE_WHITESPACE 0x0002 + #define PR_STR_FL_IGNORE_CASE 0x0004 ++#define PR_STR_FL_IGNORE_QUOTES 0x0008 + + char *pr_str_get_token(char **, char *); + char *pr_str_get_token2(char **, char *, size_t *); +diff --git a/src/main.c b/src/main.c +index 1ead27f..01b1ef8 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -787,8 +787,24 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* By default, pr_str_get_word will handle quotes and backslashes for ++ * escaping characters. This can produce words which are shorter, use ++ * fewer bytes than the corresponding input buffer. ++ * ++ * In this particular situation, we use the length of this initial word ++ * for determining the length of the remaining buffer bytes, assumed to ++ * contain the FTP command arguments. If this initial word is thus ++ * unexpectedly "shorter", due to nonconformant FTP text, it can lead ++ * the subsequent buffer scan, looking for CRNUL sequencees, to access ++ * unexpected memory addresses (Issue #1683). ++ * ++ * Thus for this particular situation, we tell the function to ignore/skip ++ * such quote/backslash semantics, and treat them as any other character ++ * using the IGNORE_QUOTES flag. ++ */ ++ + ptr = buf; +- wrd = pr_str_get_word(&ptr, str_flags); ++ wrd = pr_str_get_word(&ptr, str_flags|PR_STR_FL_IGNORE_QUOTES); + if (wrd == NULL) { + /* Nothing there...bail out. */ + pr_trace_msg("ctrl", 5, "command '%s' is empty, ignoring", buf); +@@ -796,6 +812,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* Note that this first word is the FTP command. This is why we make ++ * use of the ptr buffer, which advances through the input buffer as ++ * we read words from the buffer. ++ */ ++ + subpool = make_sub_pool(p); + pr_pool_tag(subpool, "make_ftp_cmd pool"); + cmd = pcalloc(subpool, sizeof(cmd_rec)); +@@ -822,6 +843,7 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + arg_len = buflen - strlen(wrd); + arg = pcalloc(cmd->pool, arg_len + 1); + ++ /* Remember that ptr here is advanced past the first word. */ + for (i = 0, j = 0; i < arg_len; i++) { + pr_signals_handle(); + if (i > 1 && +@@ -830,15 +852,13 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + + /* Strip out the NUL by simply not copying it into the new buffer. */ + have_crnul = TRUE; +- ++ + } else { + arg[j++] = ptr[i]; + } + } + +- cmd->arg = arg; +- +- if (have_crnul) { ++ if (have_crnul == TRUE) { + char *dup_arg; + + /* Now make a copy of the stripped argument; this is what we need to +@@ -848,6 +868,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + ptr = dup_arg; + } + ++ cmd->arg = arg; ++ ++ /* Now we can read the remamining words, as command arguments, from the ++ * input buffer. ++ */ + while ((wrd = pr_str_get_word(&ptr, str_flags)) != NULL) { + pr_signals_handle(); + *((char **) push_array(tarr)) = pstrdup(cmd->pool, wrd); +diff --git a/src/str.c b/src/str.c +index eeed096..04188ce 100644 +--- a/src/str.c ++++ b/src/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -1209,7 +1209,7 @@ int pr_str_get_nbytes(const char *str, const char *units, off_t *nbytes) { + + char *pr_str_get_word(char **cp, int flags) { + char *res, *dst; +- char quote_mode = 0; ++ int quote_mode = FALSE; + + if (cp == NULL || + !*cp || +@@ -1238,24 +1238,28 @@ char *pr_str_get_word(char **cp, int flags) { + } + } + +- if (**cp == '\"') { +- quote_mode++; +- (*cp)++; ++ if (!(flags & PR_STR_FL_IGNORE_QUOTES)) { ++ if (**cp == '\"') { ++ quote_mode = TRUE; ++ (*cp)++; ++ } + } + + while (**cp && (quote_mode ? (**cp != '\"') : !PR_ISSPACE(**cp))) { + pr_signals_handle(); + +- if (**cp == '\\' && quote_mode) { +- ++ if (**cp == '\\' && ++ quote_mode == TRUE) { + /* Escaped char */ + if (*((*cp)+1)) { +- *dst = *(++(*cp)); ++ *dst++ = *(++(*cp)); ++ (*cp)++; ++ continue; + } + } + + *dst++ = **cp; +- ++(*cp); ++ (*cp)++; + } + + if (**cp) { +diff --git a/tests/api/str.c b/tests/api/str.c +index 7c6e110..77fda8f 100644 +--- a/tests/api/str.c ++++ b/tests/api/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server testsuite +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -695,19 +695,23 @@ END_TEST + START_TEST (get_word_test) { + char *ok, *res, *str; + ++ mark_point(); + res = pr_str_get_word(NULL, 0); + fail_unless(res == NULL, "Failed to handle null arguments"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = NULL; + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle null str argument"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = pstrdup(p, " "); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle whitespace argument"); + ++ mark_point(); + str = pstrdup(p, " foo"); + res = pr_str_get_word(&str, PR_STR_FL_PRESERVE_WHITESPACE); + fail_unless(res != NULL, "Failed to handle whitespace argument: %s", +@@ -723,6 +727,7 @@ START_TEST (get_word_test) { + ok = "foo"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + ++ mark_point(); + str = pstrdup(p, " # foo"); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle commented argument"); +@@ -742,6 +747,8 @@ START_TEST (get_word_test) { + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + + /* Test multiple embedded quotes. */ ++ ++ mark_point(); + str = pstrdup(p, "foo \"bar baz\" qux \"quz norf\""); + res = pr_str_get_word(&str, 0); + fail_unless(res != NULL, "Failed to handle quoted argument: %s", +@@ -770,6 +777,47 @@ START_TEST (get_word_test) { + + ok = "quz norf"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ ++ /* Test embedded quotes with backslashes (Issue #1683). */ ++ mark_point(); ++ ++ str = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ ok = "\\SYST"; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ /* Note that pr_str_get_word() is intended to be called multiple times ++ * on an advancing buffer, effectively tokenizing the buffer. This is ++ * why the function does NOT decrement its quote mode. ++ */ ++ ok = ""; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ /* Now do the same tests with the IGNORE_QUOTES flag */ ++ mark_point(); ++ ++ str = ok = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = ok = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + } + END_TEST + +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb index 1e4697a633..aa1f9e4ef9 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb @@ -12,6 +12,8 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ file://contrib.patch \ file://build_fixup.patch \ file://proftpd.service \ + file://CVE-2021-46854.patch \ + file://CVE-2023-51713.patch \ " SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b" SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf" diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch new file mode 100644 index 0000000000..b11721041e --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch @@ -0,0 +1,608 @@ +Partial backport of: + +From 6ea12e8fb590ac6959e9356a81aa3370576568c3 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Tue, 26 Jul 2022 15:05:54 +0000 +Subject: [PATCH] Remove support for Gopher protocol (#1092) + +Gopher code quality remains too low for production use in most +environments. The code is a persistent source of vulnerabilities and +fixing it requires significant effort. We should not be spending scarce +Project resources on improving that code, especially given the lack of +strong demand for Gopher support. + +With this change, Gopher requests will be handled like any other request +with an unknown (to Squid) protocol. For example, HTTP requests with +Gopher URI scheme result in ERR_UNSUP_REQ. + +Default Squid configuration still considers TCP port 70 "safe". The +corresponding Safe_ports ACL rule has not been removed for consistency +sake: We consider WAIS port safe even though Squid refuses to forward +WAIS requests: + + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46728.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3] +CVE: CVE-2023-46728 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + doc/Programming-Guide/Groups.dox | 5 - + doc/debug-sections.txt | 1 - + doc/manuals/de.po | 2 +- + doc/manuals/en.po | 2 +- + doc/manuals/en_AU.po | 2 +- + doc/manuals/es.po | 2 +- + doc/manuals/fr.po | 2 +- + doc/manuals/it.po | 2 +- + errors/af.po | 6 +- + errors/az.po | 6 +- + errors/bg.po | 6 +- + errors/ca.po | 6 +- + errors/cs.po | 6 +- + errors/da.po | 6 +- + errors/de.po | 6 +- + errors/el.po | 4 +- + errors/en.po | 6 +- + errors/errorpage.css | 2 +- + errors/es-mx.po | 3 +- + errors/es.po | 4 +- + errors/et.po | 6 +- + errors/fi.po | 7 +- + errors/fr.po | 6 +- + errors/he.po | 6 +- + errors/hu.po | 6 +- + errors/hy.po | 6 +- + errors/it.po | 4 +- + errors/ja.po | 6 +- + errors/ko.po | 6 +- + errors/lt.po | 6 +- + errors/lv.po | 6 +- + errors/nl.po | 6 +- + errors/pl.po | 6 +- + errors/pt-br.po | 6 +- + errors/pt.po | 6 +- + errors/ro.po | 4 +- + errors/ru.po | 6 +- + errors/sk.po | 6 +- + errors/sl.po | 6 +- + errors/sr-latn.po | 4 +- + errors/sv.po | 6 +- + errors/templates/ERR_UNSUP_REQ | 2 +- + errors/tr.po | 6 +- + errors/uk.po | 6 +- + errors/vi.po | 4 +- + errors/zh-hans.po | 6 +- + errors/zh-hant.po | 7 +- + src/FwdState.cc | 5 - + src/HttpRequest.cc | 6 - + src/IoStats.h | 2 +- + src/Makefile.am | 8 - + src/adaptation/ecap/Host.cc | 1 - + src/adaptation/ecap/MessageRep.cc | 2 - + src/anyp/ProtocolType.h | 1 - + src/anyp/Uri.cc | 1 - + src/anyp/UriScheme.cc | 3 - + src/cf.data.pre | 5 +- + src/client_side_request.cc | 4 - + src/error/forward.h | 2 +- + src/gopher.cc | 993 ----------------------- + src/gopher.h | 29 - + src/http/Message.h | 1 - + src/mgr/IoAction.cc | 3 - + src/mgr/IoAction.h | 2 - + src/squid.8.in | 2 +- + src/stat.cc | 19 - + src/tests/Stub.am | 1 - + src/tests/stub_gopher.cc | 17 - + test-suite/squidconf/regressions-3.4.0.1 | 1 - + 69 files changed, 88 insertions(+), 1251 deletions(-) + delete mode 100644 src/gopher.cc + delete mode 100644 src/gopher.h + delete mode 100644 src/tests/stub_gopher.cc + +--- a/src/FwdState.cc ++++ b/src/FwdState.cc +@@ -28,7 +28,6 @@ + #include "fde.h" + #include "FwdState.h" + #include "globals.h" +-#include "gopher.h" + #include "hier_code.h" + #include "http.h" + #include "http/Stream.h" +@@ -1004,10 +1003,6 @@ FwdState::dispatch() + httpStart(this); + break; + +- case AnyP::PROTO_GOPHER: +- gopherStart(this); +- break; +- + case AnyP::PROTO_FTP: + if (request->flags.ftpNative) + Ftp::StartRelay(this); +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -18,7 +18,6 @@ + #include "Downloader.h" + #include "err_detail_type.h" + #include "globals.h" +-#include "gopher.h" + #include "http.h" + #include "http/one/RequestParser.h" + #include "http/Stream.h" +@@ -556,11 +555,6 @@ HttpRequest::maybeCacheable() + return false; + break; + +- case AnyP::PROTO_GOPHER: +- if (!gopherCachable(this)) +- return false; +- break; +- + case AnyP::PROTO_CACHE_OBJECT: + return false; + +--- a/src/IoStats.h ++++ b/src/IoStats.h +@@ -22,7 +22,7 @@ public: + int writes; + int write_hist[histSize]; + } +- Http, Ftp, Gopher; ++ Http, Ftp; + }; + + #endif /* SQUID_IOSTATS_H_ */ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -306,8 +306,6 @@ squid_SOURCES = \ + FwdState.h \ + Generic.h \ + globals.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + helper.h \ + hier_code.h \ +@@ -1259,8 +1257,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -1678,8 +1674,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -1914,8 +1908,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2145,8 +2137,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2461,8 +2451,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -3307,8 +3295,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +--- a/src/adaptation/ecap/Host.cc ++++ b/src/adaptation/ecap/Host.cc +@@ -49,7 +49,6 @@ Adaptation::Ecap::Host::Host() + libecap::protocolHttp.assignHostId(AnyP::PROTO_HTTP); + libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS); + libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP); +- libecap::protocolGopher.assignHostId(AnyP::PROTO_GOPHER); + libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS); + libecap::protocolUrn.assignHostId(AnyP::PROTO_URN); + libecap::protocolWhois.assignHostId(AnyP::PROTO_WHOIS); +--- a/src/adaptation/ecap/MessageRep.cc ++++ b/src/adaptation/ecap/MessageRep.cc +@@ -140,8 +140,6 @@ Adaptation::Ecap::FirstLineRep::protocol + return libecap::protocolHttps; + case AnyP::PROTO_FTP: + return libecap::protocolFtp; +- case AnyP::PROTO_GOPHER: +- return libecap::protocolGopher; + case AnyP::PROTO_WAIS: + return libecap::protocolWais; + case AnyP::PROTO_WHOIS: +--- a/src/anyp/ProtocolType.h ++++ b/src/anyp/ProtocolType.h +@@ -27,7 +27,6 @@ typedef enum { + PROTO_HTTPS, + PROTO_COAP, + PROTO_COAPS, +- PROTO_GOPHER, + PROTO_WAIS, + PROTO_CACHE_OBJECT, + PROTO_ICP, +--- a/src/anyp/Uri.cc ++++ b/src/anyp/Uri.cc +@@ -852,8 +852,6 @@ urlCheckRequest(const HttpRequest * r) + if (r->method == Http::METHOD_PUT) + rc = 1; + +- case AnyP::PROTO_GOPHER: +- + case AnyP::PROTO_WAIS: + + case AnyP::PROTO_WHOIS: +--- a/src/anyp/UriScheme.cc ++++ b/src/anyp/UriScheme.cc +@@ -87,9 +87,6 @@ AnyP::UriScheme::defaultPort() const + // Assuming IANA policy of allocating same port for base and TLS protocol versions will occur. + return 5683; + +- case AnyP::PROTO_GOPHER: +- return 70; +- + case AnyP::PROTO_WAIS: + return 210; + +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -33,7 +33,6 @@ + #include "fd.h" + #include "fde.h" + #include "format/Token.h" +-#include "gopher.h" + #include "helper.h" + #include "helper/Reply.h" + #include "http.h" +@@ -965,9 +964,6 @@ clientHierarchical(ClientHttpRequest * h + if (request->url.getScheme() == AnyP::PROTO_HTTP) + return method.respMaybeCacheable(); + +- if (request->url.getScheme() == AnyP::PROTO_GOPHER) +- return gopherCachable(request); +- + if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT) + return 0; + +--- a/src/err_type.h ++++ b/src/err_type.h +@@ -65,7 +65,7 @@ typedef enum { + ERR_GATEWAY_FAILURE, + + /* Special Cases */ +- ERR_DIR_LISTING, /* Display of remote directory (FTP, Gopher) */ ++ ERR_DIR_LISTING, /* Display of remote directory (FTP) */ + ERR_SQUID_SIGNATURE, /* not really an error */ + ERR_SHUTTING_DOWN, + ERR_PROTOCOL_UNKNOWN, +--- a/src/HttpMsg.h ++++ b/src/HttpMsg.h +@@ -38,7 +38,6 @@ public: + srcFtp = 1 << (16 + 1), ///< ftp_port or FTP server + srcIcap = 1 << (16 + 2), ///< traditional ICAP service without encryption + srcEcap = 1 << (16 + 3), ///< eCAP service that uses insecure libraries/daemons +- srcGopher = 1 << (16 + 14), ///< Gopher server + srcWhois = 1 << (16 + 15), ///< Whois server + srcUnsafe = 0xFFFF0000, ///< Unsafe sources mask + srcSafe = 0x0000FFFF ///< Safe sources mask +--- a/src/mgr/IoAction.cc ++++ b/src/mgr/IoAction.cc +@@ -35,9 +35,6 @@ Mgr::IoActionData::operator += (const Io + ftp_reads += stats.ftp_reads; + for (int i = 0; i < IoStats::histSize; ++i) + ftp_read_hist[i] += stats.ftp_read_hist[i]; +- gopher_reads += stats.gopher_reads; +- for (int i = 0; i < IoStats::histSize; ++i) +- gopher_read_hist[i] += stats.gopher_read_hist[i]; + + return *this; + } +--- a/src/mgr/IoAction.h ++++ b/src/mgr/IoAction.h +@@ -27,10 +27,8 @@ public: + public: + double http_reads; + double ftp_reads; +- double gopher_reads; + double http_read_hist[IoStats::histSize]; + double ftp_read_hist[IoStats::histSize]; +- double gopher_read_hist[IoStats::histSize]; + }; + + /// implement aggregated 'io' action +--- a/src/stat.cc ++++ b/src/stat.cc +@@ -206,12 +206,6 @@ GetIoStats(Mgr::IoActionData& stats) + for (i = 0; i < IoStats::histSize; ++i) { + stats.ftp_read_hist[i] = IOStats.Ftp.read_hist[i]; + } +- +- stats.gopher_reads = IOStats.Gopher.reads; +- +- for (i = 0; i < IoStats::histSize; ++i) { +- stats.gopher_read_hist[i] = IOStats.Gopher.read_hist[i]; +- } + } + + void +@@ -245,19 +239,6 @@ DumpIoStats(Mgr::IoActionData& stats, St + } + + storeAppendPrintf(sentry, "\n"); +- storeAppendPrintf(sentry, "Gopher I/O\n"); +- storeAppendPrintf(sentry, "number of reads: %.0f\n", stats.gopher_reads); +- storeAppendPrintf(sentry, "Read Histogram:\n"); +- +- for (i = 0; i < IoStats::histSize; ++i) { +- storeAppendPrintf(sentry, "%5d-%5d: %9.0f %2.0f%%\n", +- i ? (1 << (i - 1)) + 1 : 1, +- 1 << i, +- stats.gopher_read_hist[i], +- Math::doublePercent(stats.gopher_read_hist[i], stats.gopher_reads)); +- } +- +- storeAppendPrintf(sentry, "\n"); + } + + static const char * +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -263,7 +263,7 @@ am__squid_SOURCES_DIST = AclRegs.cc Auth + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h htcp.cc \ + htcp.h http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -352,7 +352,7 @@ am_squid_OBJECTS = $(am__objects_1) Acce + EventLoop.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) FadingCounter.$(OBJEXT) \ + fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrRange.$(OBJEXT) HttpHdrSc.$(OBJEXT) \ + HttpHdrScTarget.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -539,7 +539,7 @@ am__tests_testCacheManager_SOURCES_DIST + tests/stub_ETag.cc event.cc external_acl.cc \ + ExternalACLEntry.cc fatal.h tests/stub_fatal.cc fd.h fd.cc \ + fde.cc FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc hier_code.h \ ++ FwdState.cc FwdState.h hier_code.h \ + helper.cc htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -594,7 +594,7 @@ am_tests_testCacheManager_OBJECTS = Acce + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) HttpHeader.$(OBJEXT) \ + HttpHeaderTools.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ +@@ -838,7 +838,7 @@ am__tests_testEvent_SOURCES_DIST = Acces + EventLoop.h EventLoop.cc external_acl.cc ExternalACLEntry.cc \ + FadingCounter.cc fatal.h tests/stub_fatal.cc fd.h fd.cc fde.cc \ + FileMap.h filemap.cc fqdncache.h fqdncache.cc FwdState.cc \ +- FwdState.h gopher.h gopher.cc helper.cc hier_code.h htcp.cc \ ++ FwdState.h helper.cc hier_code.h htcp.cc \ + htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -891,7 +891,7 @@ am_tests_testEvent_OBJECTS = AccessLogEn + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -975,8 +975,8 @@ am__tests_testEventLoop_SOURCES_DIST = A + tests/stub_ETag.cc EventLoop.h EventLoop.cc event.cc \ + external_acl.cc ExternalACLEntry.cc FadingCounter.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -1029,7 +1029,7 @@ am_tests_testEventLoop_OBJECTS = AccessL + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1187,7 +1187,7 @@ am__tests_testHttpRequest_SOURCES_DIST = + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc \ + tests/stub_ETag.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc helper.cc \ ++ FwdState.cc FwdState.h helper.cc \ + hier_code.h htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -1243,7 +1243,7 @@ am_tests_testHttpRequest_OBJECTS = Acces + $(am__objects_4) errorpage.$(OBJEXT) tests/stub_ETag.$(OBJEXT) \ + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1670,8 +1670,8 @@ am__tests_testURL_SOURCES_DIST = AccessL + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc ETag.cc \ + event.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1725,7 +1725,7 @@ am_tests_testURL_OBJECTS = AccessLogEntr + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -1925,8 +1925,8 @@ am__tests_test_http_range_SOURCES_DIST = + dns_internal.cc errorpage.cc tests/stub_ETag.cc event.cc \ + FadingCounter.cc fatal.h tests/stub_libauth.cc \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1979,7 +1979,7 @@ am_tests_test_http_range_OBJECTS = Acces + FadingCounter.$(OBJEXT) tests/stub_libauth.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ + filemap.$(OBJEXT) fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ +- gopher.$(OBJEXT) helper.$(OBJEXT) $(am__objects_5) \ ++ helper.$(OBJEXT) $(am__objects_5) \ + http.$(OBJEXT) HttpBody.$(OBJEXT) \ + tests/stub_HttpControlMsg.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ + HttpHdrContRange.$(OBJEXT) HttpHdrRange.$(OBJEXT) \ +@@ -2131,7 +2131,7 @@ am__depfiles_remade = ./$(DEPDIR)/Access + ./$(DEPDIR)/external_acl.Po ./$(DEPDIR)/fatal.Po \ + ./$(DEPDIR)/fd.Po ./$(DEPDIR)/fde.Po ./$(DEPDIR)/filemap.Po \ + ./$(DEPDIR)/fqdncache.Po ./$(DEPDIR)/fs_io.Po \ +- ./$(DEPDIR)/globals.Po ./$(DEPDIR)/gopher.Po \ ++ ./$(DEPDIR)/globals.Po \ + ./$(DEPDIR)/helper.Po ./$(DEPDIR)/hier_code.Po \ + ./$(DEPDIR)/htcp.Po ./$(DEPDIR)/http.Po \ + ./$(DEPDIR)/icp_opcode.Po ./$(DEPDIR)/icp_v2.Po \ +@@ -3043,7 +3043,7 @@ squid_SOURCES = $(ACL_REGISTRATION_SOURC + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h \ + $(HTCPSOURCE) http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -3708,8 +3708,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -4134,8 +4132,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4371,8 +4367,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4604,8 +4598,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4924,8 +4916,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -5777,8 +5767,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -6823,7 +6811,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fqdncache.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fs_io.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/globals.Po@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gopher.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/helper.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hier_code.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/htcp.Po@am__quote@ # am--include-marker +@@ -7804,7 +7791,6 @@ distclean: distclean-recursive + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po +@@ -8129,7 +8115,6 @@ maintainer-clean: maintainer-clean-recur + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch new file mode 100644 index 0000000000..5b4e370d49 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch @@ -0,0 +1,1154 @@ +Backport of: + +From 417da4006cf5c97d44e74431b816fc58fec9e270 Mon Sep 17 00:00:00 2001 +From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com> +Date: Mon, 18 Mar 2019 17:48:21 +0000 +Subject: [PATCH] Fix incremental parsing of chunked quoted extensions (#310) + +Before this change, incremental parsing of quoted chunked extensions +was broken for two reasons: + +* Http::One::Parser::skipLineTerminator() unexpectedly threw after + partially received quoted chunk extension value. + +* When Http::One::Tokenizer was unable to parse a quoted extension, + it incorrectly restored the input buffer to the beginning of the + extension value (instead of the extension itself), thus making + further incremental parsing iterations impossible. + +IMO, the reason for this problem was that Http::One::Tokenizer::qdText() +could not distinguish two cases (returning false in both): + +* the end of the quoted string not yet reached + +* an input error, e.g., wrong/unexpected character + +A possible approach could be to improve Http::One::Tokenizer, making it +aware about "needs more data" state. However, to be acceptable, +these improvements should be done in the base Parser::Tokenizer +class instead. These changes seem to be non-trivial and could be +done separately and later. + +Another approach, used here, is to simplify the complex and error-prone +chunked extensions parsing algorithm, fixing incremental parsing bugs +and still parse incrementally in almost all cases. The performance +regression could be expected only in relatively rare cases of partially +received or malformed extensions. + +Also: +* fixed parsing of partial use-original-body extension values +* do not treat an invalid use-original-body as an unknown extension +* optimization: parse use-original-body extension only in ICAP context + (i.e., where it is expected) +* improvement: added a new API to TeChunkedParser to specify known + chunked extensions list + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846-pre1.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270] +CVE: CVE-2023-46846 #Dependency Patch1 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/adaptation/icap/ModXact.cc | 21 ++++- + src/adaptation/icap/ModXact.h | 20 +++++ + src/http/one/Parser.cc | 35 ++++---- + src/http/one/Parser.h | 10 ++- + src/http/one/RequestParser.cc | 16 ++-- + src/http/one/RequestParser.h | 8 +- + src/http/one/ResponseParser.cc | 17 ++-- + src/http/one/ResponseParser.h | 2 +- + src/http/one/TeChunkedParser.cc | 139 ++++++++++++++++++-------------- + src/http/one/TeChunkedParser.h | 41 ++++++++-- + src/http/one/Tokenizer.cc | 104 ++++++++++++------------ + src/http/one/Tokenizer.h | 89 ++++++++------------ + src/http/one/forward.h | 3 + + src/parser/BinaryTokenizer.h | 3 +- + src/parser/Makefile.am | 1 + + src/parser/Tokenizer.cc | 40 +++++++++ + src/parser/Tokenizer.h | 13 +++ + src/parser/forward.h | 22 +++++ + 18 files changed, 364 insertions(+), 220 deletions(-) + create mode 100644 src/parser/forward.h + +--- a/src/adaptation/icap/ModXact.cc ++++ b/src/adaptation/icap/ModXact.cc +@@ -25,12 +25,13 @@ + #include "comm.h" + #include "comm/Connection.h" + #include "err_detail_type.h" +-#include "http/one/TeChunkedParser.h" + #include "HttpHeaderTools.h" + #include "HttpMsg.h" + #include "HttpReply.h" + #include "HttpRequest.h" + #include "MasterXaction.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + #include "SquidTime.h" + + // flow and terminology: +@@ -44,6 +45,8 @@ CBDATA_NAMESPACED_CLASS_INIT(Adaptation: + + static const size_t TheBackupLimit = BodyPipe::MaxCapacity; + ++const SBuf Adaptation::Icap::ChunkExtensionValueParser::UseOriginalBodyName("use-original-body"); ++ + Adaptation::Icap::ModXact::State::State() + { + memset(this, 0, sizeof(*this)); +@@ -1108,6 +1111,7 @@ void Adaptation::Icap::ModXact::decideOn + state.parsing = State::psBody; + replyHttpBodySize = 0; + bodyParser = new Http1::TeChunkedParser; ++ bodyParser->parseExtensionValuesWith(&extensionParser); + makeAdaptedBodyPipe("adapted response from the ICAP server"); + Must(state.sending == State::sendingAdapted); + } else { +@@ -1142,9 +1146,8 @@ void Adaptation::Icap::ModXact::parseBod + } + + if (parsed) { +- if (state.readyForUob && bodyParser->useOriginBody >= 0) { +- prepPartialBodyEchoing( +- static_cast<uint64_t>(bodyParser->useOriginBody)); ++ if (state.readyForUob && extensionParser.sawUseOriginalBody()) { ++ prepPartialBodyEchoing(extensionParser.useOriginalBody()); + stopParsing(); + return; + } +@@ -2014,3 +2017,14 @@ void Adaptation::Icap::ModXactLauncher:: + } + } + ++void ++Adaptation::Icap::ChunkExtensionValueParser::parse(Tokenizer &tok, const SBuf &extName) ++{ ++ if (extName == UseOriginalBodyName) { ++ useOriginalBody_ = tok.udec64("use-original-body"); ++ assert(useOriginalBody_ >= 0); ++ } else { ++ Ignore(tok, extName); ++ } ++} ++ +--- a/src/adaptation/icap/ModXact.h ++++ b/src/adaptation/icap/ModXact.h +@@ -15,6 +15,7 @@ + #include "adaptation/icap/Xaction.h" + #include "BodyPipe.h" + #include "http/one/forward.h" ++#include "http/one/TeChunkedParser.h" + + /* + * ICAPModXact implements ICAP REQMOD and RESPMOD transaction using +@@ -105,6 +106,23 @@ private: + enum State { stDisabled, stWriting, stIeof, stDone } theState; + }; + ++/// handles ICAP-specific chunk extensions supported by Squid ++class ChunkExtensionValueParser: public Http1::ChunkExtensionValueParser ++{ ++public: ++ /* Http1::ChunkExtensionValueParser API */ ++ virtual void parse(Tokenizer &tok, const SBuf &extName) override; ++ ++ bool sawUseOriginalBody() const { return useOriginalBody_ >= 0; } ++ uint64_t useOriginalBody() const { assert(sawUseOriginalBody()); return static_cast<uint64_t>(useOriginalBody_); } ++ ++private: ++ static const SBuf UseOriginalBodyName; ++ ++ /// the value of the parsed use-original-body chunk extension (or -1) ++ int64_t useOriginalBody_ = -1; ++}; ++ + class ModXact: public Xaction, public BodyProducer, public BodyConsumer + { + CBDATA_CLASS(ModXact); +@@ -270,6 +288,8 @@ private: + + int adaptHistoryId; ///< adaptation history slot reservation + ++ ChunkExtensionValueParser extensionParser; ++ + class State + { + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -7,10 +7,11 @@ + */ + + #include "squid.h" ++#include "base/CharacterSet.h" + #include "Debug.h" + #include "http/one/Parser.h" +-#include "http/one/Tokenizer.h" + #include "mime_header.h" ++#include "parser/Tokenizer.h" + #include "SquidConfig.h" + + /// RFC 7230 section 2.6 - 7 magic octets +@@ -61,20 +62,19 @@ Http::One::Parser::DelimiterCharacters() + RelaxedDelimiterCharacters() : CharacterSet::SP; + } + +-bool +-Http::One::Parser::skipLineTerminator(Http1::Tokenizer &tok) const ++void ++Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { + if (tok.skip(Http1::CrLf())) +- return true; ++ return; + + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) +- return true; ++ return; + + if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- return false; // need more data ++ throw InsufficientInput(); + + throw TexcHere("garbage instead of CRLF line terminator"); +- return false; // unreachable, but make naive compilers happy + } + + /// all characters except the LF line terminator +@@ -102,7 +102,7 @@ LineCharacters() + void + Http::One::Parser::cleanMimePrefix() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + while (tok.skipOne(RelaxedDelimiterCharacters())) { + (void)tok.skipAll(LineCharacters()); // optional line content + // LF terminator is required. +@@ -137,7 +137,7 @@ Http::One::Parser::cleanMimePrefix() + void + Http::One::Parser::unfoldMime() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + const auto szLimit = mimeHeaderBlock_.length(); + mimeHeaderBlock_.clear(); + // prevent the mime sender being able to make append() realloc/grow multiple times. +@@ -228,7 +228,7 @@ Http::One::Parser::getHostHeaderField() + debugs(25, 5, "looking for " << name); + + // while we can find more LF in the SBuf +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + SBuf p; + + while (tok.prefix(p, LineCharacters())) { +@@ -250,7 +250,7 @@ Http::One::Parser::getHostHeaderField() + p.consume(namelen + 1); + + // TODO: optimize SBuf::trim to take CharacterSet directly +- Http1::Tokenizer t(p); ++ Tokenizer t(p); + t.skipAll(CharacterSet::WSP); + p = t.remaining(); + +@@ -278,10 +278,15 @@ Http::One::ErrorLevel() + } + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-bool +-Http::One::ParseBws(Tokenizer &tok) ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) + { +- if (const auto count = tok.skipAll(Parser::WhitespaceCharacters())) { ++ const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); // even if count is positive ++ ++ if (count) { + // Generating BWS is a MUST-level violation so warn about it as needed. + debugs(33, ErrorLevel(), "found " << count << " BWS octets"); + // RFC 7230 says we MUST parse BWS, so we fall through even if +@@ -289,6 +294,6 @@ Http::One::ParseBws(Tokenizer &tok) + } + // else we successfully "parsed" an empty BWS sequence + +- return true; ++ // success: no more BWS characters expected + } + +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -12,6 +12,7 @@ + #include "anyp/ProtocolVersion.h" + #include "http/one/forward.h" + #include "http/StatusCode.h" ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Http { +@@ -40,6 +41,7 @@ class Parser : public RefCountable + { + public: + typedef SBuf::size_type size_type; ++ typedef ::Parser::Tokenizer Tokenizer; + + Parser() : parseStatusCode(Http::scNone), parsingStage_(HTTP_PARSE_NONE), hackExpectsMime_(false) {} + virtual ~Parser() {} +@@ -118,11 +120,11 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * throws if non-terminator is detected. ++ * \throws exception on bad or InsuffientInput. + * \retval true only if line terminator found. + * \retval false incomplete or missing line terminator, need more data. + */ +- bool skipLineTerminator(Http1::Tokenizer &tok) const; ++ void skipLineTerminator(Tokenizer &) const; + + /** + * Scan to find the mime headers block for current message. +@@ -159,8 +161,8 @@ private: + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \returns true (always; unlike all the skip*() functions) +-bool ParseBws(Tokenizer &tok); ++/// \throws InsufficientInput when the end of BWS cannot be confirmed ++void ParseBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +--- a/src/http/one/RequestParser.cc ++++ b/src/http/one/RequestParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/RequestParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -64,7 +64,7 @@ Http::One::RequestParser::skipGarbageLin + * RFC 7230 section 2.6, 3.1 and 3.5 + */ + bool +-Http::One::RequestParser::parseMethodField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseMethodField(Tokenizer &tok) + { + // method field is a sequence of TCHAR. + // Limit to 32 characters to prevent overly long sequences of non-HTTP +@@ -145,7 +145,7 @@ Http::One::RequestParser::RequestTargetC + } + + bool +-Http::One::RequestParser::parseUriField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseUriField(Tokenizer &tok) + { + /* Arbitrary 64KB URI upper length limit. + * +@@ -178,7 +178,7 @@ Http::One::RequestParser::parseUriField( + } + + bool +-Http::One::RequestParser::parseHttpVersionField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseHttpVersionField(Tokenizer &tok) + { + static const SBuf http1p0("HTTP/1.0"); + static const SBuf http1p1("HTTP/1.1"); +@@ -253,7 +253,7 @@ Http::One::RequestParser::skipDelimiter( + + /// Parse CRs at the end of request-line, just before the terminating LF. + bool +-Http::One::RequestParser::skipTrailingCrs(Http1::Tokenizer &tok) ++Http::One::RequestParser::skipTrailingCrs(Tokenizer &tok) + { + if (Config.onoff.relaxed_header_parser) { + (void)tok.skipAllTrailing(CharacterSet::CR); // optional; multiple OK +@@ -289,12 +289,12 @@ Http::One::RequestParser::parseRequestFi + // Earlier, skipGarbageLines() took care of any leading LFs (if allowed). + // Now, the request line has to end at the first LF. + static const CharacterSet lineChars = CharacterSet::LF.complement("notLF"); +- ::Parser::Tokenizer lineTok(buf_); ++ Tokenizer lineTok(buf_); + if (!lineTok.prefix(line, lineChars) || !lineTok.skip('\n')) { + if (buf_.length() >= Config.maxRequestHeaderSize) { + /* who should we blame for our failure to parse this line? */ + +- Http1::Tokenizer methodTok(buf_); ++ Tokenizer methodTok(buf_); + if (!parseMethodField(methodTok)) + return -1; // blame a bad method (or its delimiter) + +@@ -308,7 +308,7 @@ Http::One::RequestParser::parseRequestFi + return 0; + } + +- Http1::Tokenizer tok(line); ++ Tokenizer tok(line); + + if (!parseMethodField(tok)) + return -1; +--- a/src/http/one/RequestParser.h ++++ b/src/http/one/RequestParser.h +@@ -54,11 +54,11 @@ private: + bool doParse(const SBuf &aBuf); + + /* all these return false and set parseStatusCode on parsing failures */ +- bool parseMethodField(Http1::Tokenizer &); +- bool parseUriField(Http1::Tokenizer &); +- bool parseHttpVersionField(Http1::Tokenizer &); ++ bool parseMethodField(Tokenizer &); ++ bool parseUriField(Tokenizer &); ++ bool parseHttpVersionField(Tokenizer &); + bool skipDelimiter(const size_t count, const char *where); +- bool skipTrailingCrs(Http1::Tokenizer &tok); ++ bool skipTrailingCrs(Tokenizer &tok); + + bool http0() const {return !msgProtocol_.major;} + static const CharacterSet &RequestTargetCharacters(); +--- a/src/http/one/ResponseParser.cc ++++ b/src/http/one/ResponseParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/ResponseParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -47,7 +47,7 @@ Http::One::ResponseParser::firstLineSize + // NP: we found the protocol version and consumed it already. + // just need the status code and reason phrase + int +-Http::One::ResponseParser::parseResponseStatusAndReason(Http1::Tokenizer &tok, const CharacterSet &WspDelim) ++Http::One::ResponseParser::parseResponseStatusAndReason(Tokenizer &tok, const CharacterSet &WspDelim) + { + if (!completedStatus_) { + debugs(74, 9, "seek status-code in: " << tok.remaining().substr(0,10) << "..."); +@@ -87,14 +87,13 @@ Http::One::ResponseParser::parseResponse + static const CharacterSet phraseChars = CharacterSet::WSP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + (void)tok.prefix(reasonPhrase_, phraseChars); // optional, no error if missing + try { +- if (skipLineTerminator(tok)) { +- debugs(74, DBG_DATA, "parse remaining buf={length=" << tok.remaining().length() << ", data='" << tok.remaining() << "'}"); +- buf_ = tok.remaining(); // resume checkpoint +- return 1; +- } ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); // resume checkpoint ++ debugs(74, DBG_DATA, Raw("leftovers", buf_.rawContent(), buf_.length())); ++ return 1; ++ } catch (const InsufficientInput &) { + reasonPhrase_.clear(); + return 0; // need more to be sure we have it all +- + } catch (const std::exception &ex) { + debugs(74, 6, "invalid status-line: " << ex.what()); + } +@@ -119,7 +118,7 @@ Http::One::ResponseParser::parseResponse + int + Http::One::ResponseParser::parseResponseFirstLine() + { +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + const CharacterSet &WspDelim = DelimiterCharacters(); + +--- a/src/http/one/ResponseParser.h ++++ b/src/http/one/ResponseParser.h +@@ -43,7 +43,7 @@ public: + + private: + int parseResponseFirstLine(); +- int parseResponseStatusAndReason(Http1::Tokenizer&, const CharacterSet &); ++ int parseResponseStatusAndReason(Tokenizer&, const CharacterSet &); + + /// magic prefix for identifying ICY response messages + static const SBuf IcyMagic; +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -13,10 +13,13 @@ + #include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" + #include "MemBuf.h" ++#include "parser/Tokenizer.h" + #include "Parsing.h" ++#include "sbuf/Stream.h" + #include "SquidConfig.h" + +-Http::One::TeChunkedParser::TeChunkedParser() ++Http::One::TeChunkedParser::TeChunkedParser(): ++ customExtensionValueParser(nullptr) + { + // chunked encoding only exists in HTTP/1.1 + Http1::Parser::msgProtocol_ = Http::ProtocolVersion(1,1); +@@ -31,7 +34,11 @@ Http::One::TeChunkedParser::clear() + buf_.clear(); + theChunkSize = theLeftBodySize = 0; + theOut = NULL; +- useOriginBody = -1; ++ // XXX: We do not reset customExtensionValueParser here. Based on the ++ // clear() API description, we must, but it makes little sense and could ++ // break method callers if they appear because some of them may forget to ++ // reset customExtensionValueParser. TODO: Remove Http1::Parser as our ++ // parent class and this unnecessary method with it. + } + + bool +@@ -49,14 +56,14 @@ Http::One::TeChunkedParser::parse(const + if (parsingStage_ == Http1::HTTP_PARSE_NONE) + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + // loop for as many chunks as we can + // use do-while instead of while so that we can incrementally + // restart in the middle of a chunk/frame + do { + +- if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkExtension(tok, theChunkSize)) ++ if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkMetadataSuffix(tok)) + return false; + + if (parsingStage_ == Http1::HTTP_PARSE_CHUNK && !parseChunkBody(tok)) +@@ -80,7 +87,7 @@ Http::One::TeChunkedParser::needsMoreSpa + + /// RFC 7230 section 4.1 chunk-size + bool +-Http::One::TeChunkedParser::parseChunkSize(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok) + { + Must(theChunkSize <= 0); // Should(), really + +@@ -104,66 +111,75 @@ Http::One::TeChunkedParser::parseChunkSi + return false; // should not be reachable + } + +-/** +- * Parses chunk metadata suffix, looking for interesting extensions and/or +- * getting to the line terminator. RFC 7230 section 4.1.1 and its Errata #4667: +- * +- * chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +- * chunk-ext-name = token +- * chunk-ext-val = token / quoted-string +- * +- * ICAP 'use-original-body=N' extension is supported. +- */ +-bool +-Http::One::TeChunkedParser::parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown) +-{ +- SBuf ext; +- SBuf value; +- while ( +- ParseBws(tok) && // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- tok.skip(';') && +- ParseBws(tok) && // Bug 4492: ICAP servers send SP before chunk-ext-name +- tok.prefix(ext, CharacterSet::TCHAR)) { // chunk-ext-name +- +- // whole value part is optional. if no '=' expect next chunk-ext +- if (ParseBws(tok) && tok.skip('=') && ParseBws(tok)) { +- +- if (!skipKnown) { +- if (ext.cmp("use-original-body",17) == 0 && tok.int64(useOriginBody, 10)) { +- debugs(94, 3, "Found chunk extension " << ext << "=" << useOriginBody); +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- } +- +- debugs(94, 5, "skipping unknown chunk extension " << ext); +- +- // unknown might have a value token or quoted-string +- if (tok.quotedStringOrToken(value) && !tok.atEnd()) { +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- +- // otherwise need more data OR corrupt syntax +- break; +- } +- +- if (!tok.atEnd()) +- buf_ = tok.remaining(); // parse checkpoint (unless there might be more token name) +- } +- +- if (skipLineTerminator(tok)) { +- buf_ = tok.remaining(); // checkpoint +- // non-0 chunk means data, 0-size means optional Trailer follows ++/// Parses "[chunk-ext] CRLF" from RFC 7230 section 4.1.1: ++/// chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF ++/// last-chunk = 1*"0" [ chunk-ext ] CRLF ++bool ++Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) ++{ ++ // Code becomes much simpler when incremental parsing functions throw on ++ // bad or insufficient input, like in the code below. TODO: Expand up. ++ try { ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; ++ } catch (const InsufficientInput &) { ++ tok.reset(buf_); // backtrack to the last commit point ++ return false; + } ++ // other exceptions bubble up to kill message parsing ++} ++ ++/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++{ ++ do { ++ ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + +- return false; ++ if (!tok.skip(';')) ++ return; // reached the end of extensions (if any) ++ ++ parseOneChunkExtension(tok); ++ buf_ = tok.remaining(); // got one extension ++ } while (true); ++} ++ ++void ++Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName) ++{ ++ const auto ignoredValue = tokenOrQuotedString(tok); ++ debugs(94, 5, extName << " with value " << ignoredValue); ++} ++ ++/// Parses a single chunk-ext list element: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++{ ++ ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name ++ ++ const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ ++ ParseBws(tok); ++ ++ if (!tok.skip('=')) ++ return; // parsed a valueless chunk-ext ++ ++ ParseBws(tok); ++ ++ // optimization: the only currently supported extension needs last-chunk ++ if (!theChunkSize && customExtensionValueParser) ++ customExtensionValueParser->parse(tok, extName); ++ else ++ ChunkExtensionValueParser::Ignore(tok, extName); + } + + bool +-Http::One::TeChunkedParser::parseChunkBody(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkBody(Tokenizer &tok) + { + if (theLeftBodySize > 0) { + buf_ = tok.remaining(); // sync buffers before buf_ use +@@ -188,17 +204,20 @@ Http::One::TeChunkedParser::parseChunkBo + } + + bool +-Http::One::TeChunkedParser::parseChunkEnd(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok) + { + Must(theLeftBodySize == 0); // Should(), really + +- if (skipLineTerminator(tok)) { ++ try { ++ skipLineTerminator(tok); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + return true; + } +- +- return false; ++ catch (const InsufficientInput &) { ++ return false; ++ } ++ // other exceptions bubble up to kill message parsing + } + +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -18,6 +18,26 @@ namespace Http + namespace One + { + ++using ::Parser::InsufficientInput; ++ ++// TODO: Move this class into http/one/ChunkExtensionValueParser.* ++/// A customizable parser of a single chunk extension value (chunk-ext-val). ++/// From RFC 7230 section 4.1.1 and its Errata #4667: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++/// chunk-ext-name = token ++/// chunk-ext-val = token / quoted-string ++class ChunkExtensionValueParser ++{ ++public: ++ typedef ::Parser::Tokenizer Tokenizer; ++ ++ /// extracts and ignores the value of a named extension ++ static void Ignore(Tokenizer &tok, const SBuf &extName); ++ ++ /// extracts and then interprets (or ignores) the extension value ++ virtual void parse(Tokenizer &tok, const SBuf &extName) = 0; ++}; ++ + /** + * An incremental parser for chunked transfer coding + * defined in RFC 7230 section 4.1. +@@ -25,7 +45,7 @@ namespace One + * + * The parser shovels content bytes from the raw + * input buffer into the content output buffer, both caller-supplied. +- * Ignores chunk extensions except for ICAP's ieof. ++ * Chunk extensions like use-original-body are handled via parseExtensionValuesWith(). + * Trailers are available via mimeHeader() if wanted. + */ + class TeChunkedParser : public Http1::Parser +@@ -37,6 +57,10 @@ public: + /// set the buffer to be used to store decoded chunk data + void setPayloadBuffer(MemBuf *parsedContent) {theOut = parsedContent;} + ++ /// Instead of ignoring all chunk extension values, give the supplied ++ /// parser a chance to handle them. Only applied to last-chunk (for now). ++ void parseExtensionValuesWith(ChunkExtensionValueParser *parser) { customExtensionValueParser = parser; } ++ + bool needsMoreSpace() const; + + /* Http1::Parser API */ +@@ -45,17 +69,20 @@ public: + virtual Parser::size_type firstLineSize() const {return 0;} // has no meaning with multiple chunks + + private: +- bool parseChunkSize(Http1::Tokenizer &tok); +- bool parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown); +- bool parseChunkBody(Http1::Tokenizer &tok); +- bool parseChunkEnd(Http1::Tokenizer &tok); ++ bool parseChunkSize(Tokenizer &tok); ++ bool parseChunkMetadataSuffix(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); ++ void parseOneChunkExtension(Tokenizer &); ++ bool parseChunkBody(Tokenizer &tok); ++ bool parseChunkEnd(Tokenizer &tok); + + MemBuf *theOut; + uint64_t theChunkSize; + uint64_t theLeftBodySize; + +-public: +- int64_t useOriginBody; ++ /// An optional plugin for parsing and interpreting custom chunk-ext-val. ++ /// This "visitor" object is owned by our creator. ++ ChunkExtensionValueParser *customExtensionValueParser; + }; + + } // namespace One +--- a/src/http/one/Tokenizer.cc ++++ b/src/http/one/Tokenizer.cc +@@ -8,35 +8,18 @@ + + #include "squid.h" + #include "Debug.h" ++#include "http/one/Parser.h" + #include "http/one/Tokenizer.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + +-bool +-Http::One::Tokenizer::quotedString(SBuf &returnedToken, const bool http1p0) ++/// Extracts quoted-string after the caller removes the initial '"'. ++/// \param http1p0 whether to prohibit \-escaped characters in quoted strings ++/// \throws InsufficientInput when input can be a token _prefix_ ++/// \returns extracted quoted string (without quotes and with chars unescaped) ++static SBuf ++parseQuotedStringSuffix(Parser::Tokenizer &tok, const bool http1p0) + { +- checkpoint(); +- +- if (!skip('"')) +- return false; +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::quotedStringOrToken(SBuf &returnedToken, const bool http1p0) +-{ +- checkpoint(); +- +- if (!skip('"')) +- return prefix(returnedToken, CharacterSet::TCHAR); +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::qdText(SBuf &returnedToken, const bool http1p0) +-{ +- // the initial DQUOTE has been skipped by the caller +- + /* + * RFC 1945 - defines qdtext: + * inclusive of LWS (which includes CR and LF) +@@ -61,12 +44,17 @@ Http::One::Tokenizer::qdText(SBuf &retur + // best we can do is a conditional reference since http1p0 value may change per-client + const CharacterSet &tokenChars = (http1p0 ? qdtext1p0 : qdtext1p1); + +- for (;;) { +- SBuf::size_type prefixLen = buf().findFirstNotOf(tokenChars); +- returnedToken.append(consume(prefixLen)); ++ SBuf parsedToken; ++ ++ while (!tok.atEnd()) { ++ SBuf qdText; ++ if (tok.prefix(qdText, tokenChars)) ++ parsedToken.append(qdText); ++ ++ if (!http1p0 && tok.skip('\\')) { // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not ++ if (tok.atEnd()) ++ break; + +- // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not +- if (!http1p0 && skip('\\')) { + /* RFC 7230 section 3.2.6 + * + * The backslash octet ("\") can be used as a single-octet quoting +@@ -78,32 +66,42 @@ Http::One::Tokenizer::qdText(SBuf &retur + */ + static const CharacterSet qPairChars = CharacterSet::HTAB + CharacterSet::SP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + SBuf escaped; +- if (!prefix(escaped, qPairChars, 1)) { +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } +- returnedToken.append(escaped); ++ if (!tok.prefix(escaped, qPairChars, 1)) ++ throw TexcHere("invalid escaped character in quoted-pair"); ++ ++ parsedToken.append(escaped); + continue; ++ } + +- } else if (skip('"')) { +- break; // done ++ if (tok.skip('"')) ++ return parsedToken; // may be empty + +- } else if (atEnd()) { +- // need more data +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } ++ if (tok.atEnd()) ++ break; + +- // else, we have an error +- debugs(24, 8, "invalid bytes for set " << tokenChars.name); +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; ++ throw TexcHere(ToSBuf("invalid bytes for set ", tokenChars.name)); + } + +- // found the whole string +- return true; ++ throw Http::One::InsufficientInput(); ++} ++ ++SBuf ++Http::One::tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0) ++{ ++ if (tok.skip('"')) ++ return parseQuotedStringSuffix(tok, http1p0); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf parsedToken; ++ if (!tok.prefix(parsedToken, CharacterSet::TCHAR)) ++ throw TexcHere("invalid input while expecting an HTTP token"); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ // got the complete token ++ return parsedToken; + } + +--- a/src/http/one/Tokenizer.h ++++ b/src/http/one/Tokenizer.h +@@ -9,68 +9,47 @@ + #ifndef SQUID_SRC_HTTP_ONE_TOKENIZER_H + #define SQUID_SRC_HTTP_ONE_TOKENIZER_H + +-#include "parser/Tokenizer.h" ++#include "parser/forward.h" ++#include "sbuf/forward.h" + + namespace Http { + namespace One { + + /** +- * Lexical processor extended to tokenize HTTP/1.x syntax. ++ * Extracts either an HTTP/1 token or quoted-string while dealing with ++ * possibly incomplete input typical for incremental text parsers. ++ * Unescapes escaped characters in HTTP/1.1 quoted strings. + * +- * \see ::Parser::Tokenizer for more detail ++ * \param http1p0 whether to prohibit \-escaped characters in quoted strings ++ * \throws InsufficientInput as appropriate, including on unterminated tokens ++ * \returns extracted token or quoted string (without quotes) ++ * ++ * Governed by: ++ * - RFC 1945 section 2.1 ++ * " ++ * A string of text is parsed as a single word if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = ( <"> *(qdtext) <"> ) ++ * ++ * qdtext = <any CHAR except <"> and CTLs, ++ * but including LWS> ++ * ++ * Single-character quoting using the backslash ("\") character is not ++ * permitted in HTTP/1.0. ++ * " ++ * ++ * - RFC 7230 section 3.2.6 ++ * " ++ * A string of text is parsed as a single value if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE ++ * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text ++ * obs-text = %x80-FF ++ * " + */ +-class Tokenizer : public ::Parser::Tokenizer +-{ +-public: +- Tokenizer(SBuf &s) : ::Parser::Tokenizer(s), savedStats_(0) {} +- +- /** +- * Attempt to parse a quoted-string lexical construct. +- * +- * Governed by: +- * - RFC 1945 section 2.1 +- * " +- * A string of text is parsed as a single word if it is quoted using +- * double-quote marks. +- * +- * quoted-string = ( <"> *(qdtext) <"> ) +- * +- * qdtext = <any CHAR except <"> and CTLs, +- * but including LWS> +- * +- * Single-character quoting using the backslash ("\") character is not +- * permitted in HTTP/1.0. +- * " +- * +- * - RFC 7230 section 3.2.6 +- * " +- * A string of text is parsed as a single value if it is quoted using +- * double-quote marks. +- * +- * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE +- * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text +- * obs-text = %x80-FF +- * " +- * +- * \param escaped HTTP/1.0 does not permit \-escaped characters +- */ +- bool quotedString(SBuf &value, const bool http1p0 = false); +- +- /** +- * Attempt to parse a (token / quoted-string ) lexical construct. +- */ +- bool quotedStringOrToken(SBuf &value, const bool http1p0 = false); +- +-private: +- /// parse the internal component of a quote-string, and terminal DQUOTE +- bool qdText(SBuf &value, const bool http1p0); +- +- void checkpoint() { savedCheckpoint_ = buf(); savedStats_ = parsedSize(); } +- void restoreLastCheckpoint() { undoParse(savedCheckpoint_, savedStats_); } +- +- SBuf savedCheckpoint_; +- SBuf::size_type savedStats_; +-}; ++SBuf tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0 = false); + + } // namespace One + } // namespace Http +--- a/src/http/one/forward.h ++++ b/src/http/one/forward.h +@@ -10,6 +10,7 @@ + #define SQUID_SRC_HTTP_ONE_FORWARD_H + + #include "base/RefCount.h" ++#include "parser/forward.h" + #include "sbuf/forward.h" + + namespace Http { +@@ -31,6 +32,8 @@ typedef RefCount<Http::One::ResponsePars + /// CRLF textual representation + const SBuf &CrLf(); + ++using ::Parser::InsufficientInput; ++ + } // namespace One + } // namespace Http + +--- a/src/parser/BinaryTokenizer.h ++++ b/src/parser/BinaryTokenizer.h +@@ -9,6 +9,7 @@ + #ifndef SQUID_SRC_PARSER_BINARYTOKENIZER_H + #define SQUID_SRC_PARSER_BINARYTOKENIZER_H + ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Parser +@@ -44,7 +45,7 @@ public: + class BinaryTokenizer + { + public: +- class InsufficientInput {}; // thrown when a method runs out of data ++ typedef ::Parser::InsufficientInput InsufficientInput; + typedef uint64_t size_type; // enough for the largest supported offset + + BinaryTokenizer(); +--- a/src/parser/Makefile.am ++++ b/src/parser/Makefile.am +@@ -13,6 +13,7 @@ noinst_LTLIBRARIES = libparser.la + libparser_la_SOURCES = \ + BinaryTokenizer.h \ + BinaryTokenizer.cc \ ++ forward.h \ + Tokenizer.h \ + Tokenizer.cc + +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -10,7 +10,9 @@ + + #include "squid.h" + #include "Debug.h" ++#include "parser/forward.h" + #include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + + #include <cerrno> + #if HAVE_CTYPE_H +@@ -96,6 +98,23 @@ Parser::Tokenizer::prefix(SBuf &returned + return true; + } + ++SBuf ++Parser::Tokenizer::prefix(const char *description, const CharacterSet &tokenChars, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf result; ++ ++ if (!prefix(result, tokenChars, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ return result; ++} ++ + bool + Parser::Tokenizer::suffix(SBuf &returnedToken, const CharacterSet &tokenChars, const SBuf::size_type limit) + { +@@ -283,3 +302,24 @@ Parser::Tokenizer::int64(int64_t & resul + return success(s - range.rawContent()); + } + ++int64_t ++Parser::Tokenizer::udec64(const char *description, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ int64_t result = 0; ++ ++ // Since we only support unsigned decimals, a parsing failure with a ++ // non-empty input always implies invalid/malformed input (or a buggy ++ // limit=0 caller). TODO: Support signed and non-decimal integers by ++ // refactoring int64() to detect insufficient input. ++ if (!int64(result, 10, false, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); // more digits may be coming ++ ++ return result; ++} ++ +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -143,6 +143,19 @@ public: + */ + bool int64(int64_t &result, int base = 0, bool allowSign = true, SBuf::size_type limit = SBuf::npos); + ++ /* ++ * The methods below mimic their counterparts documented above, but they ++ * throw on errors, including InsufficientInput. The field description ++ * parameter is used for error reporting and debugging. ++ */ ++ ++ /// prefix() wrapper but throws InsufficientInput if input contains ++ /// nothing but the prefix (i.e. if the prefix is not "terminated") ++ SBuf prefix(const char *description, const CharacterSet &tokenChars, SBuf::size_type limit = SBuf::npos); ++ ++ /// int64() wrapper but limited to unsigned decimal integers (for now) ++ int64_t udec64(const char *description, SBuf::size_type limit = SBuf::npos); ++ + protected: + SBuf consume(const SBuf::size_type n); + SBuf::size_type success(const SBuf::size_type n); +--- /dev/null ++++ b/src/parser/forward.h +@@ -0,0 +1,22 @@ ++/* ++ * Copyright (C) 1996-2019 The Squid Software Foundation and contributors ++ * ++ * Squid software is distributed under GPLv2+ license and includes ++ * contributions from numerous individuals and organizations. ++ * Please see the COPYING and CONTRIBUTORS files for details. ++ */ ++ ++#ifndef SQUID_PARSER_FORWARD_H ++#define SQUID_PARSER_FORWARD_H ++ ++namespace Parser { ++class Tokenizer; ++class BinaryTokenizer; ++ ++// TODO: Move this declaration (to parser/Elements.h) if we need more like it. ++/// thrown by modern "incremental" parsers when they need more data ++class InsufficientInput {}; ++} // namespace Parser ++ ++#endif /* SQUID_PARSER_FORWARD_H */ ++ diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch new file mode 100644 index 0000000000..a6d0965e7a --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch @@ -0,0 +1,169 @@ +From 05f6af2f4c85cc99323cfff6149c3d74af661b6d Mon Sep 17 00:00:00 2001 +From: Amos Jeffries <yadij@users.noreply.github.com> +Date: Fri, 13 Oct 2023 08:44:16 +0000 +Subject: [PATCH] RFC 9112: Improve HTTP chunked encoding compliance (#1498) + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/05f6af2f4c85cc99323cfff6149c3d74af661b6d] +CVE: CVE-2023-46846 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/http/one/Parser.cc | 8 +------- + src/http/one/Parser.h | 4 +--- + src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++----- + src/parser/Tokenizer.cc | 12 ++++++++++++ + src/parser/Tokenizer.h | 7 +++++++ + 5 files changed, 39 insertions(+), 15 deletions(-) + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters() + void + Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { +- if (tok.skip(Http1::CrLf())) +- return; +- + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) + return; + +- if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- throw InsufficientInput(); +- +- throw TexcHere("garbage instead of CRLF line terminator"); ++ tok.skipRequired("line-terminating CRLF", Http1::CrLf()); + } + + /// all characters except the LF line terminator +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -120,9 +120,7 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * \throws exception on bad or InsuffientInput. +- * \retval true only if line terminator found. +- * \retval false incomplete or missing line terminator, need more data. ++ * \throws exception on bad or InsufficientInput + */ + void skipLineTerminator(Tokenizer &) const; + +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSi + { + Must(theChunkSize <= 0); // Should(), really + ++ static const SBuf bannedHexPrefixLower("0x"); ++ static const SBuf bannedHexPrefixUpper("0X"); ++ if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper)) ++ throw TextException("chunk starts with 0x", Here()); ++ + int64_t size = -1; + if (tok.int64(size, 16, false) && !tok.atEnd()) { + if (size < 0) +@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMe + // bad or insufficient input, like in the code below. TODO: Expand up. + try { + parseChunkExtensions(tok); // a possibly empty chunk-ext list +- skipLineTerminator(tok); ++ tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; +@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMe + // other exceptions bubble up to kill message parsing + } + +-/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { + do { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkEx + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension ++ callerTok = tok; + } while (true); + } + +@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ig + /// Parses a single chunk-ext list element: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok) + { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name + + const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ callerTok = tok; // in case we determine that this is a valueless chunk-ext + + ParseBws(tok); + +@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChun + customExtensionValueParser->parse(tok, extName); + else + ChunkExtensionValueParser::Ignore(tok, extName); ++ ++ callerTok = tok; + } + + bool +@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEn + Must(theLeftBodySize == 0); // Should(), really + + try { +- skipLineTerminator(tok); ++ tok.skipRequired("chunk CRLF", Http1::CrLf()); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const Charact + return success(prefixLen); + } + ++void ++Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip) ++{ ++ if (skip(tokenToSkip) || tokenToSkip.isEmpty()) ++ return; ++ ++ if (tokenToSkip.startsWith(buf_)) ++ throw InsufficientInput(); ++ ++ throw TextException(ToSBuf("cannot skip ", description), Here()); ++} ++ + bool + Parser::Tokenizer::skipOne(const CharacterSet &chars) + { +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -115,6 +115,13 @@ public: + */ + SBuf::size_type skipAll(const CharacterSet &discardables); + ++ /** skips a given character sequence (string); ++ * does nothing if the sequence is empty ++ * ++ * \throws exception on mismatching prefix or InsufficientInput ++ */ ++ void skipRequired(const char *description, const SBuf &tokenToSkip); ++ + /** Removes a single trailing character from the set. + * + * \return whether a character was removed diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch new file mode 100644 index 0000000000..d9f29569d1 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch @@ -0,0 +1,47 @@ +From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001 +From: squidadm <squidadm@users.noreply.github.com> +Date: Wed, 18 Oct 2023 04:50:56 +1300 +Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization + (#1517) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html +where it was filed as "Stack Buffer Overflow in Digest Authentication". + +--------- + +Co-authored-by: Alex Bason <nonsleepr@gmail.com> +Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com> + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3] +CVE: CVE-2023-46847 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/auth/digest/Config.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index 2d25fee..4c206e1 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -862,11 +862,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + break; + + case DIGEST_NC: +- if (value.size() != 8) { ++ if (value.size() == 8) { ++ // for historical reasons, the nc value MUST be exactly 8 bytes ++ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size"); ++ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); ++ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); ++ } else { + debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); ++ digest_request->nc[0] = 0; + } +- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); +- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); + break; + + case DIGEST_CNONCE: +-- +2.40.1 diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch new file mode 100644 index 0000000000..d3cc549f98 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch @@ -0,0 +1,35 @@ +From 77b3fb4df0f126784d5fd4967c28ed40eb8d521b Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Wed, 25 Oct 2023 19:41:45 +0000 +Subject: [PATCH] RFC 1123: Fix date parsing (#1538) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html +where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time +Handling". + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b] +CVE: CVE-2023-49285 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/rfc1123.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/rfc1123.c b/lib/rfc1123.c +index e5bf9a4d705..cb484cc002b 100644 +--- a/lib/rfc1123.c ++++ b/lib/rfc1123.c +@@ -50,7 +50,13 @@ make_month(const char *s) + char month[3]; + + month[0] = xtoupper(*s); ++ if (!month[0]) ++ return -1; // protects *(s + 1) below ++ + month[1] = xtolower(*(s + 1)); ++ if (!month[1]) ++ return -1; // protects *(s + 2) below ++ + month[2] = xtolower(*(s + 2)); + + for (i = 0; i < 12; i++) diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch new file mode 100644 index 0000000000..8e0bdf387c --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch @@ -0,0 +1,87 @@ +From 6014c6648a2a54a4ecb7f952ea1163e0798f9264 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Fri, 27 Oct 2023 21:27:20 +0000 +Subject: [PATCH] Exit without asserting when helper process startup fails + (#1543) + +... to dup() after fork() and before execvp(). + +Assertions are for handling program logic errors. Helper initialization +code already handled system call errors correctly (i.e. by exiting the +newly created helper process with an error), except for a couple of +assert()s that could be triggered by dup(2) failures. + +This bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html +where it was filed as 'Assertion in Squid "Helper" Process Creator'. + +Origin: http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264] +CVE: CVE-2023-49286 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ipc.cc | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -20,6 +20,12 @@ + #include "SquidIpc.h" + #include "tools.h" + ++#include <cstdlib> ++ ++#if HAVE_UNISTD_H ++#include <unistd.h> ++#endif ++ + static const char *hello_string = "hi there\n"; + #ifndef HELLO_BUF_SZ + #define HELLO_BUF_SZ 32 +@@ -365,6 +371,22 @@ + } + + PutEnvironment(); ++ ++ // A dup(2) wrapper that reports and exits the process on errors. The ++ // exiting logic is only suitable for this child process context. ++ const auto dupOrExit = [prog,name](const int oldFd) { ++ const auto newFd = dup(oldFd); ++ if (newFd < 0) { ++ const auto savedErrno = errno; ++ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name); ++ debugs(54, DBG_CRITICAL, "helper (CHILD) PID: " << getpid()); ++ debugs(54, DBG_CRITICAL, "helper program name: " << prog); ++ debugs(54, DBG_CRITICAL, "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno)); ++ _exit(1); ++ } ++ return newFd; ++ }; ++ + /* + * This double-dup stuff avoids problems when one of + * crfd, cwfd, or debug_log are in the rage 0-2. +@@ -372,17 +394,16 @@ + + do { + /* First make sure 0-2 is occupied by something. Gets cleaned up later */ +- x = dup(crfd); +- assert(x > -1); +- } while (x < 3 && x > -1); ++ x = dupOrExit(crfd); ++ } while (x < 3); + + close(x); + +- t1 = dup(crfd); ++ t1 = dupOrExit(crfd); + +- t2 = dup(cwfd); ++ t2 = dupOrExit(cwfd); + +- t3 = dup(fileno(debug_log)); ++ t3 = dupOrExit(fileno(debug_log)); + + assert(t1 > 2 && t2 > 2 && t3 > 2); + diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch new file mode 100644 index 0000000000..51c895e0ef --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch @@ -0,0 +1,62 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 26 Dec 2023 19:58:12 +0100 +Subject: CVE-2023-50269 + +Bug-Debian: https://bugs.debian.org/1058721 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] +CVE: CVE-2023-50269 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ClientRequestContext.h | 4 ++++ + src/client_side_request.cc | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -81,6 +81,10 @@ + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -78,6 +78,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(allow_t answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -485,8 +490,16 @@ + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses"); ++ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber); ++ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr); ++ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb index 19949acd84..09c0a2cd7c 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.9.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb @@ -24,6 +24,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch \ file://0001-tools.cc-fixed-unused-result-warning.patch \ file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \ + file://CVE-2023-46847.patch \ + file://CVE-2023-46728.patch \ + file://CVE-2023-46846-pre1.patch \ + file://CVE-2023-46846.patch \ + file://CVE-2023-49285.patch \ + file://CVE-2023-49286.patch \ + file://CVE-2023-50269.patch \ " SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" diff --git a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb index 115353fec7..071002c5e7 100644 --- a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb +++ b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://gpl_license.txt;md5=11c7b65c4a4acb9d5175f7e9bf99c403" SRCREV = "39276d14b659684c4c0612725ab83ea841c6ef99" -SRC_URI = "git://github.com/arno-iptables-firewall/aif" +SRC_URI = "git://github.com/arno-iptables-firewall/aif;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch new file mode 100644 index 0000000000..21d4cfd822 --- /dev/null +++ b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch @@ -0,0 +1,19 @@ +ebtables: use optimizations from bitbake + +Enables building with O2 or Os to create smaller binaries. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> + +--- a/Makefile 2021-04-16 12:43:40.475431286 +0000 ++++ b/Makefile 2021-04-16 12:45:23.654597711 +0000 +@@ -18,7 +18,7 @@ SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + + CFLAGS:=-Wall -Wunused -Werror +-CFLAGS_SH_LIB:=-fPIC -O3 ++CFLAGS_SH_LIB:=-fPIC + CC:=gcc + + ifeq ($(shell uname -m),sparc64) diff --git a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb index 276784009f..8b6dcea439 100644 --- a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb +++ b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb @@ -31,6 +31,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/ebtables/ebtables-v${PV}.tar.gz \ file://0007-extensions-Use-stdint-types.patch \ file://0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch \ file://0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch \ + file://ebtables_optimizations.patch \ " SRC_URI_append_libc-musl = " file://0010-Adjust-header-include-sequence.patch" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb index 2f627d458e..994825cb7e 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "ba196a97e810746e5660fe3f57c87c0ed0f2b324" PV .= "+git${SRCPV}" -SRC_URI = "git://git.netfilter.org/libnetfilter_log" +SRC_URI = "git://git.netfilter.org/libnetfilter_log;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb index 896cfdfaa4..1bbab6f3cb 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "601abd1c71ccdf90753cf294c120ad43fb25dc54" -SRC_URI = "git://git.netfilter.org/libnetfilter_queue \ +SRC_URI = "git://git.netfilter.org/libnetfilter_queue;branch=master \ file://0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch \ " diff --git a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb index 4ff00bf873..fee9967ebd 100644 --- a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb +++ b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb @@ -5,7 +5,7 @@ SECTION = "libs" DEPENDS = "libmnl" SRCREV = "eedafeb6db330b8adff1b7cdd3dac325f9144195" -SRC_URI = "git://git.netfilter.org/libnftnl \ +SRC_URI = "git://git.netfilter.org/libnftnl;branch=master \ file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \ " diff --git a/meta-networking/recipes-irc/znc/znc_1.7.5.bb b/meta-networking/recipes-irc/znc/znc_1.7.5.bb index a3d4b7cc55..d7467ff4a6 100644 --- a/meta-networking/recipes-irc/znc/znc_1.7.5.bb +++ b/meta-networking/recipes-irc/znc/znc_1.7.5.bb @@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" DEPENDS = "openssl zlib icu" -SRC_URI = "git://github.com/znc/znc.git;name=znc \ - git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket \ +SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \ + git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \ " SRCREV_znc = "c7f72f8bc800115ac985e7e13eace78031cb1b50" SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4" diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch deleted file mode 100644 index a9dc9dc2b7..0000000000 --- a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch +++ /dev/null @@ -1,29 +0,0 @@ -From ce8faa3ee266ea69431805e6ed4bd7102d982508 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Thu, 12 Nov 2020 09:43:38 +0100 -Subject: [PATCH] compat: SYM_FUNC_{START,END} were backported to 5.4 - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> - -Upstream-Status: Backport -Fixes build failure in Dunfell. - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - compat/compat-asm.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: src/compat/compat-asm.h -=================================================================== ---- src.orig/compat/compat-asm.h -+++ src/compat/compat-asm.h -@@ -40,7 +40,7 @@ - #undef pull - #endif - --#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) -+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76) - #define SYM_FUNC_START ENTRY - #define SYM_FUNC_END ENDPROC - #endif diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb index e8891c4428..df2db15349 100644 --- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb +++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb @@ -1,9 +1,8 @@ require wireguard.inc -SRCREV = "43f57dac7b8305024f83addc533c9eede6509129" +SRCREV = "18fbcd68a35a892527345dc5679d0b2d860ee004" -SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat \ - file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch" +SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;protocol=https;branch=master" inherit module kernel-module-split @@ -18,12 +17,7 @@ EXTRA_OEMAKE_append = " \ " MAKE_TARGETS = "module" +MODULES_INSTALL_TARGET = "module-install" RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" MODULE_NAME = "wireguard" - -module_do_install() { - install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} - install -m 0644 ${MODULE_NAME}.ko \ - ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko -} diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb index f698b9a9af..b63ef88182 100644 --- a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb +++ b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb @@ -1,7 +1,7 @@ require wireguard.inc -SRCREV = "a8063adc8ae9b4fc9848500e93f94bee8ad2e585" -SRC_URI = "git://git.zx2c4.com/wireguard-tools" +SRCREV = "3ba6527130c502144e7388b900138bca6260f4e8" +SRC_URI = "git://git.zx2c4.com/wireguard-tools;branch=master" inherit bash-completion systemd pkgconfig @@ -9,7 +9,7 @@ DEPENDS += "wireguard-module libmnl" do_install () { oe_runmake DESTDIR="${D}" PREFIX="${prefix}" SYSCONFDIR="${sysconfdir}" \ - SYSTEMDUNITDIR="${systemd_unitdir}" \ + SYSTEMDUNITDIR="${systemd_system_unitdir}" \ WITH_SYSTEMDUNITS=${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'yes', '', d)} \ WITH_BASHCOMPLETION=yes \ WITH_WGQUICK=yes \ diff --git a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb index 6dd15ad9fc..fdcd906516 100644 --- a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb +++ b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb @@ -12,7 +12,7 @@ SECTION = "net" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENCE;md5=411a48ac3c2e9e0911b8dd9aed26f754" -SRC_URI = "git://github.com/jech/babeld.git;protocol=git" +SRC_URI = "git://github.com/jech/babeld.git;protocol=https;branch=master" SRCREV = "0835d5d894ea016ab7b81562466cade2c51a12d4" UPSTREAM_CHECK_GITTAGREGEX = "babeld-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb b/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb index 0f8dc92df3..ce31233264 100644 --- a/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb +++ b/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb @@ -26,6 +26,19 @@ SRC_URI = "https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-${P SRC_URI[md5sum] = "4e139a8e1133349006b0436291c9e29b" SRC_URI[sha256sum] = "2cef0ee9900504c5277fb81de0a28e6c0835fe482ebecf1067c6864f5c4eda74" +# CVE-2007-0613 is not applicable as it only affects Apple products +# i.e. ichat,mdnsresponder, instant message framework and MacOS. +# Also, https://www.exploit-db.com/exploits/3230 shows the part of code +# affected by CVE-2007-0613 which is not preset in upstream source code. +# Hence, CVE-2007-0613 does not affect other Yocto implementations and +# is not reported for other distros can be marked whitelisted. +# Links: +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 +# https://security-tracker.debian.org/tracker/CVE-2007-0613 +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +CVE_CHECK_WHITELIST += "CVE-2007-0613" + PARALLEL_MAKE = "" S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix" diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch new file mode 100644 index 0000000000..4e537c8859 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch @@ -0,0 +1,116 @@ +From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001 +From: Bill Fenner <fenner@gmail.com> +Date: Fri, 25 Nov 2022 08:41:24 -0800 +Subject: [PATCH ] snmp_agent: disallow SET with NULL varbind + +Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57] +CVE: CVE-2022-44792 & CVE-2022-44793 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + agent/snmp_agent.c | 32 +++++++++++++++++++ + apps/snmpset.c | 1 + + .../default/T0142snmpv2csetnull_simple | 31 ++++++++++++++++++ + 3 files changed, 64 insertions(+) + create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 26653f4..eba5b4e 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -3708,12 +3708,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status) + return 1; + } + ++static int ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp) ++{ ++ int i; ++ netsnmp_variable_list *v = NULL; ++ ++ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) { ++ if (v->type == ASN_NULL) { ++ /* ++ * Protect SET implementations that do not protect themselves ++ * against wrong type. ++ */ ++ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i)); ++ asp->index = i; ++ return SNMP_ERR_WRONGTYPE; ++ } ++ } ++ return SNMP_ERR_NOERROR; ++} ++ + int + handle_pdu(netsnmp_agent_session *asp) + { + int status, inclusives = 0; + netsnmp_variable_list *v = NULL; + ++#ifndef NETSNMP_NO_WRITE_SUPPORT ++ /* ++ * Check for ASN_NULL in SET request ++ */ ++ if (asp->pdu->command == SNMP_MSG_SET) { ++ status = check_set_pdu_for_null_varbind(asp); ++ if (status != SNMP_ERR_NOERROR) { ++ return status; ++ } ++ } ++#endif /* NETSNMP_NO_WRITE_SUPPORT */ ++ + /* + * for illegal requests, mark all nodes as ASN_NULL + */ +diff --git a/apps/snmpset.c b/apps/snmpset.c +index a2374bc..cd01b9a 100644 +--- a/apps/snmpset.c ++++ b/apps/snmpset.c +@@ -182,6 +182,7 @@ main(int argc, char *argv[]) + case 'x': + case 'd': + case 'b': ++ case 'n': /* undocumented */ + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case 'I': + case 'U': +diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple +new file mode 100644 +index 0000000..0f1b8f3 +--- /dev/null ++++ b/testing/fulltests/default/T0142snmpv2csetnull_simple +@@ -0,0 +1,31 @@ ++#!/bin/sh ++ ++. ../support/simple_eval_tools.sh ++ ++HEADER SNMPv2c set of system.sysContact.0 with NULL varbind ++ ++SKIPIF NETSNMP_DISABLE_SET_SUPPORT ++SKIPIF NETSNMP_NO_WRITE_SUPPORT ++SKIPIF NETSNMP_DISABLE_SNMPV2C ++SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE ++ ++# ++# Begin test ++# ++ ++# standard V2C configuration: testcomunnity ++snmp_write_access='all' ++. ./Sv2cconfig ++STARTAGENT ++ ++CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0" ++ ++CHECK ".1.3.6.1.2.1.1.4.0 = STRING:" ++ ++CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x" ++ ++CHECK "Reason: wrongType" ++ ++STOPAGENT ++ ++FINISHED +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb index 6b4b6ce8ed..79f2c1d89d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb @@ -35,6 +35,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \ file://CVE-2020-15861-0004.patch \ file://CVE-2020-15861-0005.patch \ file://CVE-2020-15862.patch \ + file://CVE-2022-44792-CVE-2022-44793.patch \ " SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a" SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf" diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc index cccbfa19a6..c425b48e19 100644 --- a/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-networking/recipes-protocols/openflow/openflow.inc @@ -11,7 +11,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2" -SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git" +SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master" DEPENDS = "virtual/libc" @@ -35,3 +35,7 @@ do_install_append() { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run } + +# This CVE is not for this product but cve-check assumes it is +# because two CPE collides when checking the NVD database +CVE_CHECK_WHITELIST = "CVE-2018-1078" diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch new file mode 100644 index 0000000000..bdb48a3993 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch @@ -0,0 +1,117 @@ +From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski <mt@suse.com> +Date: Fri Nov 11 09:07:22 UTC 2022 +Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation + +Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890 + +Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch + +CVE: CVE-2021-44038 +Signed-off-by: Marius Tomaschewski <mt@suse.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + redhat/bgpd.service | 2 -- + redhat/isisd.service | 2 -- + redhat/ospf6d.service | 2 -- + redhat/ospfd.service | 2 -- + redhat/ripd.service | 2 -- + redhat/ripngd.service | 2 -- + redhat/zebra.service | 3 --- + 7 files changed, 15 deletions(-) + +diff --git a/redhat/bgpd.service b/redhat/bgpd.service +index a50bfff..6f46a97 100644 +--- a/redhat/bgpd.service ++++ b/redhat/bgpd.service +@@ -10,8 +10,6 @@ Documentation=man:bgpd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf + ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf + Restart=on-abort + +diff --git a/redhat/isisd.service b/redhat/isisd.service +index 93663aa..c1464c0 100644 +--- a/redhat/isisd.service ++++ b/redhat/isisd.service +@@ -10,8 +10,6 @@ Documentation=man:isisd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf + ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf + Restart=on-abort + +diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service +index 3c1c978..d493429 100644 +--- a/redhat/ospf6d.service ++++ b/redhat/ospf6d.service +@@ -10,8 +10,6 @@ Documentation=man:ospf6d + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf + ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf + Restart=on-abort + +diff --git a/redhat/ospfd.service b/redhat/ospfd.service +index 0084b6c..6c84580 100644 +--- a/redhat/ospfd.service ++++ b/redhat/ospfd.service +@@ -10,8 +10,6 @@ Documentation=man:ospfd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf + ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf + Restart=on-abort + +diff --git a/redhat/ripd.service b/redhat/ripd.service +index 103b5a9..be0f75c 100644 +--- a/redhat/ripd.service ++++ b/redhat/ripd.service +@@ -10,8 +10,6 @@ Documentation=man:ripd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf + ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf + Restart=on-abort + +diff --git a/redhat/ripngd.service b/redhat/ripngd.service +index 6fe6ba8..23447da 100644 +--- a/redhat/ripngd.service ++++ b/redhat/ripngd.service +@@ -10,8 +10,6 @@ Documentation=man:ripngd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf + ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf + Restart=on-abort + +diff --git a/redhat/zebra.service b/redhat/zebra.service +index fa5a004..e3cf0ab 100644 +--- a/redhat/zebra.service ++++ b/redhat/zebra.service +@@ -10,9 +10,6 @@ Documentation=man:zebra + Type=forking + EnvironmentFile=-/etc/sysconfig/quagga + ExecStartPre=/sbin/ip route flush proto zebra +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf + ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf + Restart=on-abort + +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index 134a33d478..5ef3843b15 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc @@ -34,8 +34,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \ file://ripd.service \ file://ripngd.service \ file://zebra.service \ + file://CVE-2021-44038.patch \ " - PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap" PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam" diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb index 4f8e4d4282..dcfa7406d2 100644 --- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb +++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb @@ -23,3 +23,5 @@ PACKAGECONFIG[inet] = "--enable-inet,--disable-inet," PACKAGECONFIG[inet6] = "--enable-inet6,--disable-inet6," EXTRA_OECONF += "--disable-debug" + +CVE_VERSION = "0.9.3.0" diff --git a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb index b02e183db7..181698d778 100644 --- a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb +++ b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb @@ -8,7 +8,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/xelerance/xl2tpd.git" +SRC_URI = "git://github.com/xelerance/xl2tpd.git;branch=master;protocol=https" SRCREV = "ba619c79c4790c78c033df0abde4a9a5de744a08" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/arptables/arptables_git.bb b/meta-networking/recipes-support/arptables/arptables_git.bb index c02a19944d..b59dc4ca1b 100644 --- a/meta-networking/recipes-support/arptables/arptables_git.bb +++ b/meta-networking/recipes-support/arptables/arptables_git.bb @@ -6,7 +6,7 @@ SRCREV = "efae8949e31f8b2eb6290f377a28384cecaf105a" PV = "0.0.5+git${SRCPV}" SRC_URI = " \ - git://git.netfilter.org/arptables \ + git://git.netfilter.org/arptables;branch=master \ file://0001-Use-ARPCFLAGS-for-package-specific-compiler-flags.patch \ file://arptables-arpt-get-target-fix.patch \ file://arptables.service \ diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb index 1c87c48bfa..4b195ededa 100644 --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f9d20a453221a1b7e32ae84694da2c37" SRCREV = "42c1aefc303fdf891fbb099ea51f00dca83ab606" SRC_URI = "\ - git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git \ + git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=main \ file://kernel-headers.patch \ file://0005-build-don-t-ignore-CFLAGS-from-environment.patch \ file://0006-libbridge-Modifying-the-AR-to-cross-toolchain.patch \ diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb index 8d82ee4546..e76481cc1b 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" PV = "6.10" SRCREV = "5ff5fc2ecc10353fd39ad508db5c2828fd2d8d9a" -SRC_URI = "git://git.samba.org/cifs-utils.git" +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" S = "${WORKDIR}/git" DEPENDS += "libtalloc" diff --git a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb index 799cf8611c..3da651c478 100644 --- a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb +++ b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=fd0c9adf285a69aa3b4faf34384e1029" DEPENDS = "curl" DEPENDS_class-native = "curl-native" -SRC_URI = "git://github.com/jpbarrette/curlpp.git" +SRC_URI = "git://github.com/jpbarrette/curlpp.git;branch=master;protocol=https" SRCREV = "592552a165cc569dac7674cb7fc9de3dc829906f" diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch new file mode 100644 index 0000000000..360931a83b --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch @@ -0,0 +1,1040 @@ +From 74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Mon, 15 Mar 2021 21:59:51 +0000 +Subject: [PATCH] Use random source ports where possible if source + addresses/interfaces in use. + +CVE-2021-3448 applies. + +It's possible to specify the source address or interface to be +used when contacting upstream nameservers: server=8.8.8.8@1.2.3.4 +or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of +these have, until now, used a single socket, bound to a fixed +port. This was originally done to allow an error (non-existent +interface, or non-local address) to be detected at start-up. This +means that any upstream servers specified in such a way don't use +random source ports, and are more susceptible to cache-poisoning +attacks. + +We now use random ports where possible, even when the +source is specified, so server=8.8.8.8@1.2.3.4 or +server=8.8.8.8@eth0 will use random source +ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will +use the explicitly configured port, and should only be done with +understanding of the security implications. +Note that this change changes non-existing interface, or non-local +source address errors from fatal to run-time. The error will be +logged and communiction with the server not possible. + +Upstream-Status: Backport +CVE: CVE-2021-3448 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + CHANGELOG | 22 +++ + man/dnsmasq.8 | 4 +- + src/dnsmasq.c | 31 ++-- + src/dnsmasq.h | 26 ++-- + src/forward.c | 392 ++++++++++++++++++++++++++++++-------------------- + src/loop.c | 20 +-- + src/network.c | 110 +++++--------- + src/option.c | 3 +- + src/tftp.c | 6 +- + src/util.c | 2 +- + 10 files changed, 344 insertions(+), 272 deletions(-) + +Index: dnsmasq-2.81/man/dnsmasq.8 +=================================================================== +--- dnsmasq-2.81.orig/man/dnsmasq.8 ++++ dnsmasq-2.81/man/dnsmasq.8 +@@ -489,7 +489,7 @@ source address specified but the port ma + part of the source address. Forcing queries to an interface is not + implemented on all platforms supported by dnsmasq. + .TP +-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]] ++.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]] + This is functionally the same as + .B --server, + but provides some syntactic sugar to make specifying address-to-name queries easier. For example +Index: dnsmasq-2.81/src/dnsmasq.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.c ++++ dnsmasq-2.81/src/dnsmasq.c +@@ -1668,6 +1668,7 @@ static int set_dns_listeners(time_t now) + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int wait = 0, i; + + #ifdef HAVE_TFTP +@@ -1688,11 +1689,14 @@ static int set_dns_listeners(time_t now) + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + poll_listen(serverfdp->fd, POLLIN); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0) +- poll_listen(daemon->randomsocks[i].fd, POLLIN); +- ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0) ++ poll_listen(daemon->randomsocks[i].fd, POLLIN); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ poll_listen(rfl->rfd->fd, POLLIN); ++ + for (listener = daemon->listeners; listener; listener = listener->next) + { + /* only listen for queries if we have resources */ +@@ -1729,18 +1733,23 @@ static void check_dns_listeners(time_t n + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int i; + int pipefd[2]; + + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + if (poll_check(serverfdp->fd, POLLIN)) +- reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now); ++ reply_query(serverfdp->fd, now); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0 && +- poll_check(daemon->randomsocks[i].fd, POLLIN)) +- reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now); ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && ++ poll_check(daemon->randomsocks[i].fd, POLLIN)) ++ reply_query(daemon->randomsocks[i].fd, now); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ if (poll_check(rfl->rfd->fd, POLLIN)) ++ reply_query(rfl->rfd->fd, now); + + /* Races. The child process can die before we read all of the data from the + pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -542,13 +542,20 @@ struct serverfd { + }; + + struct randfd { ++ struct server *serv; + int fd; +- unsigned short refcount, family; ++ unsigned short refcount; /* refcount == 0xffff means overflow record. */ + }; +- ++ ++struct randfd_list { ++ struct randfd *rfd; ++ struct randfd_list *next; ++}; ++ + struct server { + union mysockaddr addr, source_addr; + char interface[IF_NAMESIZE+1]; ++ unsigned int ifindex; /* corresponding to interface, above */ + struct serverfd *sfd; + char *domain; /* set if this server only handles a domain. */ + int flags, tcpfd, edns_pktsz; +@@ -669,8 +676,7 @@ struct frec { + struct frec_src *next; + } frec_src; + struct server *sentto; /* NULL means free */ +- struct randfd *rfd4; +- struct randfd *rfd6; ++ struct randfd_list *rfds; + unsigned short new_id; + int fd, forwardall, flags; + time_t time; +@@ -1100,11 +1106,12 @@ extern struct daemon { + int forwardcount; + struct server *srv_save; /* Used for resend on DoD */ + size_t packet_len; /* " " */ +- struct randfd *rfd_save; /* " " */ ++ int fd_save; /* " " */ + pid_t tcp_pids[MAX_PROCS]; + int tcp_pipes[MAX_PROCS]; + int pipe_to_parent; + struct randfd randomsocks[RANDOM_SOCKS]; ++ struct randfd_list *rfl_spare, *rfl_poll; + int v6pktinfo; + struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */ + int log_id, log_display_id; /* ids of transactions for logging */ +@@ -1275,7 +1282,7 @@ void safe_strncpy(char *dest, const char + void safe_pipe(int *fd, int read_noblock); + void *whine_malloc(size_t size); + int sa_len(union mysockaddr *addr); +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2); ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2); + int hostname_isequal(const char *a, const char *b); + int hostname_issubdomain(char *a, char *b); + time_t dnsmasq_time(void); +@@ -1326,7 +1333,7 @@ char *parse_server(char *arg, union myso + int option_read_dynfile(char *file, int flags); + + /* forward.c */ +-void reply_query(int fd, int family, time_t now); ++void reply_query(int fd, time_t now); + void receive_query(struct listener *listen, time_t now); + unsigned char *tcp_request(int confd, time_t now, + union mysockaddr *local_addr, struct in_addr netmask, int auth_dns); +@@ -1336,13 +1343,12 @@ int send_from(int fd, int nowild, char * + union mysockaddr *to, union all_addr *source, + unsigned int iface); + void resend_query(void); +-struct randfd *allocate_rfd(int family); +-void free_rfd(struct randfd *rfd); ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv); ++void free_rfds(struct randfd_list **fdlp); + + /* network.c */ + int indextoname(int fd, int index, char *name); + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp); +-int random_sock(int family); + void pre_allocate_sfds(void); + int reload_servers(char *fname); + void mark_servers(int flag); +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -16,7 +16,7 @@ + + #include "dnsmasq.h" + +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash); + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); +@@ -307,26 +307,18 @@ static int forward_query(int udpfd, unio + if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) + PUTSHORT(SAFE_PKTSZ, pheader); + +- if (forward->sentto->addr.sa.sa_family == AF_INET) +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); +- else +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); +- +- +- if (forward->sentto->sfd) +- fd = forward->sentto->sfd->fd; +- else ++ if ((fd = allocate_rfd(&forward->rfds, forward->sentto)) != -1) + { +- if (forward->sentto->addr.sa.sa_family == AF_INET6) +- fd = forward->rfd6->fd; ++ if (forward->sentto->addr.sa.sa_family == AF_INET) ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); + else +- fd = forward->rfd4->fd; ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); ++ ++ while (retry_send(sendto(fd, (char *)header, plen, 0, ++ &forward->sentto->addr.sa, ++ sa_len(&forward->sentto->addr)))); + } + +- while (retry_send(sendto(fd, (char *)header, plen, 0, +- &forward->sentto->addr.sa, +- sa_len(&forward->sentto->addr)))); +- + return 1; + } + #endif +@@ -501,49 +493,28 @@ static int forward_query(int udpfd, unio + + while (1) + { ++ int fd; ++ + /* only send to servers dealing with our domain. + domain may be NULL, in which case server->domain + must be NULL also. */ + + if (type == (start->flags & SERV_TYPE) && + (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && +- !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) ++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ ((fd = allocate_rfd(&forward->rfds, start)) != -1)) + { +- int fd; +- +- /* find server socket to use, may need to get random one. */ +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- if (!forward->rfd6 && +- !(forward->rfd6 = allocate_rfd(AF_INET6))) +- break; +- daemon->rfd_save = forward->rfd6; +- fd = forward->rfd6->fd; +- } +- else +- { +- if (!forward->rfd4 && +- !(forward->rfd4 = allocate_rfd(AF_INET))) +- break; +- daemon->rfd_save = forward->rfd4; +- fd = forward->rfd4->fd; +- } + + #ifdef HAVE_CONNTRACK +- /* Copy connection mark of incoming query to outgoing connection. */ +- if (option_bool(OPT_CONNTRACK)) +- { +- unsigned int mark; +- if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark)) +- setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); +- } +-#endif ++ /* Copy connection mark of incoming query to outgoing connection. */ ++ if (option_bool(OPT_CONNTRACK)) ++ { ++ unsigned int mark; ++ if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark)) ++ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); + } +- ++#endif ++ + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER)) + { +@@ -574,6 +545,7 @@ static int forward_query(int udpfd, unio + /* Keep info in case we want to re-send this packet */ + daemon->srv_save = start; + daemon->packet_len = plen; ++ daemon->fd_save = fd; + + if (!gotname) + strcpy(daemon->namebuff, "query"); +@@ -590,7 +562,7 @@ static int forward_query(int udpfd, unio + break; + forward->forwardall++; + } +- } ++ } + + if (!(start = start->next)) + start = daemon->servers; +@@ -805,7 +777,7 @@ static size_t process_reply(struct dns_h + } + + /* sets new last_server */ +-void reply_query(int fd, int family, time_t now) ++void reply_query(int fd, time_t now) + { + /* packet from peer server, extract data for cache, and send to + original requester */ +@@ -820,9 +792,9 @@ void reply_query(int fd, int family, tim + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + /* Determine the address of the server replying so that we can mark that as good */ +- if ((serveraddr.sa.sa_family = family) == AF_INET6) ++ if (serveraddr.sa.sa_family == AF_INET6) + serveraddr.in6.sin6_flowinfo = 0; + + header = (struct dns_header *)daemon->packet; +@@ -845,7 +817,7 @@ void reply_query(int fd, int family, tim + + hash = hash_questions(header, n, daemon->namebuff); + +- if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) ++ if (!(forward = lookup_frec(ntohs(header->id), fd, hash))) + return; + + #ifdef HAVE_DUMPFILE +@@ -900,25 +872,8 @@ void reply_query(int fd, int family, tim + } + + +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- /* may have changed family */ +- if (!forward->rfd6) +- forward->rfd6 = allocate_rfd(AF_INET6); +- fd = forward->rfd6->fd; +- } +- else +- { +- /* may have changed family */ +- if (!forward->rfd4) +- forward->rfd4 = allocate_rfd(AF_INET); +- fd = forward->rfd4->fd; +- } +- } ++ if ((fd = allocate_rfd(&forward->rfds, start)) == -1) ++ return; + + #ifdef HAVE_DUMPFILE + dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr); +@@ -1126,8 +1081,7 @@ void reply_query(int fd, int family, tim + } + + new->sentto = server; +- new->rfd4 = NULL; +- new->rfd6 = NULL; ++ new->rfds = NULL; + new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; +@@ -1166,24 +1120,7 @@ void reply_query(int fd, int family, tim + /* Don't resend this. */ + daemon->srv_save = NULL; + +- if (server->sfd) +- fd = server->sfd->fd; +- else +- { +- fd = -1; +- if (server->addr.sa.sa_family == AF_INET6) +- { +- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) +- fd = new->rfd6->fd; +- } +- else +- { +- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) +- fd = new->rfd4->fd; +- } +- } +- +- if (fd != -1) ++ if ((fd = allocate_rfd(&new->rfds, server)) != -1) + { + #ifdef HAVE_CONNTRACK + /* Copy connection mark of incoming query to outgoing connection. */ +@@ -1344,7 +1281,7 @@ void receive_query(struct listener *list + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0; + netmask.s_addr = 0; + +@@ -2207,9 +2144,8 @@ static struct frec *allocate_frec(time_t + f->next = daemon->frec_list; + f->time = now; + f->sentto = NULL; +- f->rfd4 = NULL; ++ f->rfds = NULL; + f->flags = 0; +- f->rfd6 = NULL; + #ifdef HAVE_DNSSEC + f->dependent = NULL; + f->blocking_query = NULL; +@@ -2221,46 +2157,192 @@ static struct frec *allocate_frec(time_t + return f; + } + +-struct randfd *allocate_rfd(int family) ++/* return a UDP socket bound to a random port, have to cope with straying into ++ occupied port nos and reserved ones. */ ++static int random_sock(struct server *s) ++{ ++ int fd; ++ ++ if ((fd = socket(s->source_addr.sa.sa_family, SOCK_DGRAM, 0)) != -1) ++ { ++ if (local_bind(fd, &s->source_addr, s->interface, s->ifindex, 0)) ++ return fd; ++ ++ if (s->interface[0] == 0) ++ (void)prettyprint_addr(&s->source_addr, daemon->namebuff); ++ else ++ strcpy(daemon->namebuff, s->interface); ++ ++ my_syslog(LOG_ERR, _("failed to bind server socket to %s: %s"), ++ daemon->namebuff, strerror(errno)); ++ close(fd); ++ } ++ ++ return -1; ++} ++ ++/* compare source addresses and interface, serv2 can be null. */ ++static int server_isequal(const struct server *serv1, ++ const struct server *serv2) ++{ ++ return (serv2 && ++ serv2->ifindex == serv1->ifindex && ++ sockaddr_isequal(&serv2->source_addr, &serv1->source_addr) && ++ strncmp(serv2->interface, serv1->interface, IF_NAMESIZE) == 0); ++} ++ ++/* fdlp points to chain of randomfds already in use by transaction. ++ If there's already a suitable one, return it, else allocate a ++ new one and add it to the list. ++ ++ Not leaking any resources in the face of allocation failures ++ is rather convoluted here. ++ ++ Note that rfd->serv may be NULL, when a server goes away. ++*/ ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv) + { + static int finger = 0; +- int i; ++ int i, j = 0; ++ struct randfd_list *rfl; ++ struct randfd *rfd = NULL; ++ int fd = 0; ++ ++ /* If server has a pre-allocated fd, use that. */ ++ if (serv->sfd) ++ return serv->sfd->fd; ++ ++ /* existing suitable random port socket linked to this transaction? */ ++ for (rfl = *fdlp; rfl; rfl = rfl->next) ++ if (server_isequal(serv, rfl->rfd->serv)) ++ return rfl->rfd->fd; ++ ++ /* No. need new link. */ ++ if ((rfl = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl->next; ++ else if (!(rfl = whine_malloc(sizeof(struct randfd_list)))) ++ return -1; + + /* limit the number of sockets we have open to avoid starvation of + (eg) TFTP. Once we have a reasonable number, randomness should be OK */ +- + for (i = 0; i < RANDOM_SOCKS; i++) + if (daemon->randomsocks[i].refcount == 0) + { +- if ((daemon->randomsocks[i].fd = random_sock(family)) == -1) +- break; +- +- daemon->randomsocks[i].refcount = 1; +- daemon->randomsocks[i].family = family; +- return &daemon->randomsocks[i]; ++ if ((fd = random_sock(serv)) != -1) ++ { ++ rfd = &daemon->randomsocks[i]; ++ rfd->serv = serv; ++ rfd->fd = fd; ++ rfd->refcount = 1; ++ } ++ break; + } + + /* No free ones or cannot get new socket, grab an existing one */ +- for (i = 0; i < RANDOM_SOCKS; i++) ++ if (!rfd) ++ for (j = 0; j < RANDOM_SOCKS; j++) ++ { ++ i = (j + finger) % RANDOM_SOCKS; ++ if (daemon->randomsocks[i].refcount != 0 && ++ server_isequal(serv, daemon->randomsocks[i].serv) && ++ daemon->randomsocks[i].refcount != 0xfffe) ++ { ++ finger = i + 1; ++ rfd = &daemon->randomsocks[i]; ++ rfd->refcount++; ++ break; ++ } ++ } ++ ++ if (j == RANDOM_SOCKS) + { +- int j = (i+finger) % RANDOM_SOCKS; +- if (daemon->randomsocks[j].refcount != 0 && +- daemon->randomsocks[j].family == family && +- daemon->randomsocks[j].refcount != 0xffff) ++ struct randfd_list *rfl_poll; ++ ++ /* there are no free slots, and non with the same parameters we can piggy-back on. ++ We're going to have to allocate a new temporary record, distinguished by ++ refcount == 0xffff. This will exist in the frec randfd list, never be shared, ++ and be freed when no longer in use. It will also be held on ++ the daemon->rfl_poll list so the poll system can find it. */ ++ ++ if ((rfl_poll = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl_poll->next; ++ else ++ rfl_poll = whine_malloc(sizeof(struct randfd_list)); ++ ++ if (!rfl_poll || ++ !(rfd = whine_malloc(sizeof(struct randfd))) || ++ (fd = random_sock(serv)) == -1) + { +- finger = j; +- daemon->randomsocks[j].refcount++; +- return &daemon->randomsocks[j]; ++ ++ /* Don't leak anything we may already have */ ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ ++ if (rfl_poll) ++ { ++ rfl_poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl_poll; ++ } ++ ++ if (rfd) ++ free(rfd); ++ ++ return -1; /* doom */ + } ++ ++ /* Note rfd->serv not set here, since it's not reused */ ++ rfd->fd = fd; ++ rfd->refcount = 0xffff; /* marker for temp record */ ++ ++ rfl_poll->rfd = rfd; ++ rfl_poll->next = daemon->rfl_poll; ++ daemon->rfl_poll = rfl_poll; + } + +- return NULL; /* doom */ ++ rfl->rfd = rfd; ++ rfl->next = *fdlp; ++ *fdlp = rfl; ++ ++ return rfl->rfd->fd; + } + +-void free_rfd(struct randfd *rfd) ++void free_rfds(struct randfd_list **fdlp) + { +- if (rfd && --(rfd->refcount) == 0) +- close(rfd->fd); ++ struct randfd_list *tmp, *rfl, *poll, *next, **up; ++ ++ for (rfl = *fdlp; rfl; rfl = tmp) ++ { ++ if (rfl->rfd->refcount == 0xffff || --(rfl->rfd->refcount) == 0) ++ close(rfl->rfd->fd); ++ ++ /* temporary overflow record */ ++ if (rfl->rfd->refcount == 0xffff) ++ { ++ free(rfl->rfd); ++ ++ /* go through the link of all these by steam to delete. ++ This list is expected to be almost always empty. */ ++ for (poll = daemon->rfl_poll, up = &daemon->rfl_poll; poll; poll = next) ++ { ++ next = poll->next; ++ ++ if (poll->rfd == rfl->rfd) ++ { ++ *up = poll->next; ++ poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = poll; ++ } ++ else ++ up = &poll->next; ++ } ++ } ++ ++ tmp = rfl->next; ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ } ++ ++ *fdlp = NULL; + } + + static void free_frec(struct frec *f) +@@ -2276,12 +2358,9 @@ static void free_frec(struct frec *f) + } + + f->frec_src.next = NULL; +- free_rfd(f->rfd4); +- f->rfd4 = NULL; ++ free_rfds(&f->rfds); + f->sentto = NULL; + f->flags = 0; +- free_rfd(f->rfd6); +- f->rfd6 = NULL; + + #ifdef HAVE_DNSSEC + if (f->stash) +@@ -2389,26 +2468,39 @@ struct frec *get_new_frec(time_t now, in + } + + /* crc is all-ones if not known. */ +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash) + { + struct frec *f; ++ struct server *s; ++ int type; ++ struct randfd_list *fdl; + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && + (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ +- if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) ++ for (fdl = f->rfds; fdl; fdl = fdl->next) ++ if (fdl->rfd->fd == fd) + return f; ++ } + +- if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) +- return f; ++ /* Sent to upstream from socket associated with a server. ++ Note we have to iterate over all the possible servers, since they may ++ have different bound sockets. */ ++ type = f->sentto->flags & SERV_TYPE; ++ s = f->sentto; ++ do { ++ if ((type == (s->flags & SERV_TYPE)) && ++ (type != SERV_HAS_DOMAIN || ++ (s->domain && hostname_isequal(f->sentto->domain, s->domain))) && ++ !(s->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ s->sfd && s->sfd->fd == fd) ++ return f; ++ ++ s = s->next ? s->next : daemon->servers; ++ } while (s != f->sentto); + +- /* sent to upstream from bound socket. */ +- if (f->sentto->sfd && f->sentto->sfd->fd == fd) +- return f; +- } +- + return NULL; + } + +@@ -2454,30 +2546,26 @@ static struct frec *lookup_frec_by_query + void resend_query() + { + if (daemon->srv_save) +- { +- int fd; +- +- if (daemon->srv_save->sfd) +- fd = daemon->srv_save->sfd->fd; +- else if (daemon->rfd_save && daemon->rfd_save->refcount != 0) +- fd = daemon->rfd_save->fd; +- else +- return; +- +- while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0, +- &daemon->srv_save->addr.sa, +- sa_len(&daemon->srv_save->addr)))); +- } ++ while(retry_send(sendto(daemon->fd_save, daemon->packet, daemon->packet_len, 0, ++ &daemon->srv_save->addr.sa, ++ sa_len(&daemon->srv_save->addr)))); + } + + /* A server record is going away, remove references to it */ + void server_gone(struct server *server) + { + struct frec *f; ++ int i; + + for (f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->sentto == server) + free_frec(f); ++ ++ /* If any random socket refers to this server, NULL the reference. ++ No more references to the socket will be created in the future. */ ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server) ++ daemon->randomsocks[i].serv = NULL; + + if (daemon->last_server == server) + daemon->last_server = NULL; +Index: dnsmasq-2.81/src/loop.c +=================================================================== +--- dnsmasq-2.81.orig/src/loop.c ++++ dnsmasq-2.81/src/loop.c +@@ -22,6 +22,7 @@ static ssize_t loop_make_probe(u32 uid); + void loop_send_probes() + { + struct server *serv; ++ struct randfd_list *rfds = NULL; + + if (!option_bool(OPT_LOOP_DETECT)) + return; +@@ -34,22 +35,15 @@ void loop_send_probes() + { + ssize_t len = loop_make_probe(serv->uid); + int fd; +- struct randfd *rfd = NULL; + +- if (serv->sfd) +- fd = serv->sfd->fd; +- else +- { +- if (!(rfd = allocate_rfd(serv->addr.sa.sa_family))) +- continue; +- fd = rfd->fd; +- } ++ if ((fd = allocate_rfd(&rfds, serv)) == -1) ++ continue; + + while (retry_send(sendto(fd, daemon->packet, len, 0, + &serv->addr.sa, sa_len(&serv->addr)))); +- +- free_rfd(rfd); + } ++ ++ free_rfds(&rfds); + } + + static ssize_t loop_make_probe(u32 uid) +Index: dnsmasq-2.81/src/network.c +=================================================================== +--- dnsmasq-2.81.orig/src/network.c ++++ dnsmasq-2.81/src/network.c +@@ -545,6 +545,7 @@ int enumerate_interfaces(int reset) + #ifdef HAVE_AUTH + struct auth_zone *zone; + #endif ++ struct server *serv; + + /* Do this max once per select cycle - also inhibits netlink socket use + in TCP child processes. */ +@@ -562,7 +563,21 @@ int enumerate_interfaces(int reset) + + if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1) + return 0; +- ++ ++ /* iface indexes can change when interfaces are created/destroyed. ++ We use them in the main forwarding control path, when the path ++ to a server is specified by an interface, so cache them. ++ Update the cache here. */ ++ for (serv = daemon->servers; serv; serv = serv->next) ++ if (strlen(serv->interface) != 0) ++ { ++ struct ifreq ifr; ++ ++ safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE); ++ if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1) ++ serv->ifindex = ifr.ifr_ifindex; ++ } ++ + /* Mark interfaces for garbage collection */ + for (iface = daemon->interfaces; iface; iface = iface->next) + iface->found = 0; +@@ -658,7 +673,7 @@ int enumerate_interfaces(int reset) + + errno = errsave; + spare = param.spare; +- ++ + return ret; + } + +@@ -798,10 +813,10 @@ int tcp_interface(int fd, int af) + /* use mshdr so that the CMSDG_* macros are available */ + msg.msg_control = daemon->packet; + msg.msg_controllen = len = daemon->packet_buff_sz; +- ++ + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if (af == AF_INET) + { + if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 && +@@ -1102,59 +1117,6 @@ void join_multicast(int dienow) + } + #endif + +-/* return a UDP socket bound to a random port, have to cope with straying into +- occupied port nos and reserved ones. */ +-int random_sock(int family) +-{ +- int fd; +- +- if ((fd = socket(family, SOCK_DGRAM, 0)) != -1) +- { +- union mysockaddr addr; +- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1; +- int tries = ports_avail < 30 ? 3 * ports_avail : 100; +- +- memset(&addr, 0, sizeof(addr)); +- addr.sa.sa_family = family; +- +- /* don't loop forever if all ports in use. */ +- +- if (fix_fd(fd)) +- while(tries--) +- { +- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail))); +- +- if (family == AF_INET) +- { +- addr.in.sin_addr.s_addr = INADDR_ANY; +- addr.in.sin_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in.sin_len = sizeof(struct sockaddr_in); +-#endif +- } +- else +- { +- addr.in6.sin6_addr = in6addr_any; +- addr.in6.sin6_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in6.sin6_len = sizeof(struct sockaddr_in6); +-#endif +- } +- +- if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0) +- return fd; +- +- if (errno != EADDRINUSE && errno != EACCES) +- break; +- } +- +- close(fd); +- } +- +- return -1; +-} +- +- + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp) + { + union mysockaddr addr_copy = *addr; +@@ -1199,38 +1161,33 @@ int local_bind(int fd, union mysockaddr + return 1; + } + +-static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname) ++static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex) + { + struct serverfd *sfd; +- unsigned int ifindex = 0; + int errsave; + int opt = 1; + + /* when using random ports, servers which would otherwise use +- the INADDR_ANY/port0 socket have sfd set to NULL */ +- if (!daemon->osport && intname[0] == 0) ++ the INADDR_ANY/port0 socket have sfd set to NULL, this is ++ anything without an explictly set source port. */ ++ if (!daemon->osport) + { + errno = 0; + + if (addr->sa.sa_family == AF_INET && +- addr->in.sin_addr.s_addr == INADDR_ANY && + addr->in.sin_port == htons(0)) + return NULL; + + if (addr->sa.sa_family == AF_INET6 && +- memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 && + addr->in6.sin6_port == htons(0)) + return NULL; + } + +- if (intname && strlen(intname) != 0) +- ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */ +- + /* may have a suitable one already */ + for (sfd = daemon->sfds; sfd; sfd = sfd->next ) +- if (sockaddr_isequal(&sfd->source_addr, addr) && +- strcmp(intname, sfd->interface) == 0 && +- ifindex == sfd->ifindex) ++ if (ifindex == sfd->ifindex && ++ sockaddr_isequal(&sfd->source_addr, addr) && ++ strcmp(intname, sfd->interface) == 0) + return sfd; + + /* need to make a new one. */ +@@ -1281,7 +1238,7 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in.sin_len = sizeof(struct sockaddr_in); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + + memset(&addr, 0, sizeof(addr)); +@@ -1291,13 +1248,13 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in6.sin6_len = sizeof(struct sockaddr_in6); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + } + + for (srv = daemon->servers; srv; srv = srv->next) + if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)) && +- !allocate_sfd(&srv->source_addr, srv->interface) && ++ !allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) && + errno != 0 && + option_bool(OPT_NOWILD)) + { +@@ -1506,7 +1463,7 @@ void check_servers(void) + + /* Do we need a socket set? */ + if (!serv->sfd && +- !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface)) && ++ !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) && + errno != 0) + { + my_syslog(LOG_WARNING, +Index: dnsmasq-2.81/src/option.c +=================================================================== +--- dnsmasq-2.81.orig/src/option.c ++++ dnsmasq-2.81/src/option.c +@@ -810,7 +810,8 @@ char *parse_server(char *arg, union myso + if (interface_opt) + { + #if defined(SO_BINDTODEVICE) +- safe_strncpy(interface, interface_opt, IF_NAMESIZE); ++ safe_strncpy(interface, source, IF_NAMESIZE); ++ source = interface_opt; + #else + return _("interface binding not supported"); + #endif +Index: dnsmasq-2.81/src/tftp.c +=================================================================== +--- dnsmasq-2.81.orig/src/tftp.c ++++ dnsmasq-2.81/src/tftp.c +@@ -601,7 +601,7 @@ void check_tftp_listeners(time_t now) + + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if ((len = get_block(daemon->packet, transfer)) == -1) + { + len = tftp_err_oops(daemon->packet, transfer->file->filename); +Index: dnsmasq-2.81/src/util.c +=================================================================== +--- dnsmasq-2.81.orig/src/util.c ++++ dnsmasq-2.81/src/util.c +@@ -316,7 +316,7 @@ void *whine_malloc(size_t size) + return ret; + } + +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2) ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2) + { + if (s1->sa.sa_family == s2->sa.sa_family) + { diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..b2ef22c06f --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,188 @@ +From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 22 Sep 2022 17:39:21 +0530 +Subject: [PATCH] CVE-2022-0934 + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39] +CVE: CVE-2022-0934 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CHANGELOG | 2 ++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 29 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 60b08d0..d1d7e41 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -88,6 +88,8 @@ version 2.81 + + Add --script-on-renewal option. + ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. + + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method +diff --git a/src/rfc3315.c b/src/rfc3315.c +index b3f0a0a..eef1360 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RENEW: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRENEW", NULL, NULL); + +@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch new file mode 100644 index 0000000000..dd3bd27408 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch @@ -0,0 +1,63 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5] +CVE: CVE-2023-28450 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + CHANGELOG | 8 ++++++++ + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index d1d7e41..7a560d3 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -91,6 +91,14 @@ version 2.81 + Fix write-after-free error in DHCPv6 server code. + CVE-2022-0934 refers. + ++ Set the default maximum DNS UDP packet sice to 1232. This ++ has been the recommended value since 2020 because it's the ++ largest value that avoid fragmentation, and fragmentation ++ is just not reliable on the modern internet, especially ++ for IPv6. It's still possible to override this with ++ --edns-packet-max for special circumstances. ++ ++ + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method + for the initial patch and motivation. +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index f2803f9..3cca4bc 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max=<size> + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port=<query_port> + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 54f6f48..29ac3e7 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.18.2 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index 92415386c2..f2b8feac56 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb @@ -4,5 +4,13 @@ SRC_URI[dnsmasq-2.81.md5sum] = "e43808177a773014b5892ccba238f7a8" SRC_URI[dnsmasq-2.81.sha256sum] = "3c28c68c6c2967c3a96e9b432c0c046a5df17a426d3a43cffe9e693cf05804d0" SRC_URI += "\ file://lua.patch \ + file://CVE-2020-25681.patch \ + file://CVE-2020-25684.patch \ + file://CVE-2020-25685-1.patch \ + file://CVE-2020-25685-2.patch \ + file://CVE-2020-25686-1.patch \ + file://CVE-2020-25686-2.patch \ + file://CVE-2021-3448.patch \ + file://CVE-2022-0934.patch \ + file://CVE-2023-28450.patch \ " - diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch new file mode 100644 index 0000000000..6756157700 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch @@ -0,0 +1,370 @@ +From 4e96a4be685c9e4445f6ee79ad0b36b9119b502a Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Wed, 11 Nov 2020 23:25:04 +0000 +Subject: [PATCH] Fix remote buffer overflow CERT VU#434904 + +The problem is in the sort_rrset() function and allows a remote +attacker to overwrite memory. Any dnsmasq instance with DNSSEC +enabled is vulnerable. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 7 +- + src/dnssec.c | 273 ++++++++++++++++++++++++++++----------------------- + 2 files changed, 158 insertions(+), 122 deletions(-) + +CVE: CVE-2020-25681 +CVE: CVE-2020-25682 +CVE: CVE-2020-25683 +CVE: CVE-2020-25687 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a] +Comment: Refreshed first two hunks + +Index: dnsmasq-2.81/src/dnssec.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnssec.c ++++ dnsmasq-2.81/src/dnssec.c +@@ -223,138 +223,144 @@ static int check_date_range(unsigned lon + && serial_compare_32(curtime, date_end) == SERIAL_LT; + } + +-/* Return bytes of canonicalised rdata, when the return value is zero, the remaining +- data, pointed to by *p, should be used raw. */ +-static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, +- unsigned char **p, u16 **desc) ++/* Return bytes of canonicalised rrdata one by one. ++ Init state->ip with the RR, and state->end with the end of same. ++ Init state->op to NULL. ++ Init state->desc to RR descriptor. ++ Init state->buff with a MAXDNAME * 2 buffer. ++ ++ After each call which returns 1, state->op points to the next byte of data. ++ On returning 0, the end has been reached. ++*/ ++struct rdata_state { ++ u16 *desc; ++ size_t c; ++ unsigned char *end, *ip, *op; ++ char *buff; ++}; ++ ++static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state *state) + { +- int d = **desc; ++ int d; + +- /* No more data needs mangling */ +- if (d == (u16)-1) ++ if (state->op && state->c != 1) + { +- /* If there's more data than we have space for, just return what fits, +- we'll get called again for more chunks */ +- if (end - *p > bufflen) +- { +- memcpy(buff, *p, bufflen); +- *p += bufflen; +- return bufflen; +- } +- +- return 0; ++ state->op++; ++ state->c--; ++ return 1; + } +- +- (*desc)++; +- +- if (d == 0 && extract_name(header, plen, p, buff, 1, 0)) +- /* domain-name, canonicalise */ +- return to_wire(buff); +- else +- { +- /* plain data preceding a domain-name, don't run off the end of the data */ +- if ((end - *p) < d) +- d = end - *p; +- +- if (d != 0) ++ ++ while (1) ++ { ++ d = *(state->desc); ++ if (d == (u16)-1) + { +- memcpy(buff, *p, d); +- *p += d; ++ /* all the bytes to the end. */ ++ if ((state->c = state->end - state->ip) != 0) ++ { ++ state->op = state->ip; ++ state->ip = state->end;; ++ } ++ else ++ return 0; ++ } ++ else ++ { ++ state->desc++; ++ ++ if (d == (u16)0) ++ { ++ /* domain-name, canonicalise */ ++ int len; ++ ++ if (!extract_name(header, plen, &state->ip, state->buff, 1, 0) || ++ (len = to_wire(state->buff)) == 0) ++ continue; ++ ++ state->c = len; ++ state->op = (unsigned char *)state->buff; ++ } ++ else ++ { ++ /* plain data preceding a domain-name, don't run off the end of the data */ ++ if ((state->end - state->ip) < d) ++ d = state->end - state->ip; ++ ++ if (d == 0) ++ continue; ++ ++ state->op = state->ip; ++ state->c = d; ++ state->ip += d; ++ } + } + +- return d; ++ return 1; + } + } + +-/* Bubble sort the RRset into the canonical order. +- Note that the byte-streams from two RRs may get unsynced: consider +- RRs which have two domain-names at the start and then other data. +- The domain-names may have different lengths in each RR, but sort equal +- +- ------------ +- |abcde|fghi| +- ------------ +- |abcd|efghi| +- ------------ +- +- leaving the following bytes as deciding the order. Hence the nasty left1 and left2 variables. +-*/ ++/* Bubble sort the RRset into the canonical order. */ + + static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx, + unsigned char **rrset, char *buff1, char *buff2) + { +- int swap, quit, i, j; ++ int swap, i, j; + + do + { + for (swap = 0, i = 0; i < rrsetidx-1; i++) + { +- int rdlen1, rdlen2, left1, left2, len1, len2, len, rc; +- u16 *dp1, *dp2; +- unsigned char *end1, *end2; ++ int rdlen1, rdlen2; ++ struct rdata_state state1, state2; ++ + /* Note that these have been determined to be OK previously, + so we don't need to check for NULL return here. */ +- unsigned char *p1 = skip_name(rrset[i], header, plen, 10); +- unsigned char *p2 = skip_name(rrset[i+1], header, plen, 10); +- +- p1 += 8; /* skip class, type, ttl */ +- GETSHORT(rdlen1, p1); +- end1 = p1 + rdlen1; +- +- p2 += 8; /* skip class, type, ttl */ +- GETSHORT(rdlen2, p2); +- end2 = p2 + rdlen2; +- +- dp1 = dp2 = rr_desc; +- +- for (quit = 0, left1 = 0, left2 = 0, len1 = 0, len2 = 0; !quit;) ++ state1.ip = skip_name(rrset[i], header, plen, 10); ++ state2.ip = skip_name(rrset[i+1], header, plen, 10); ++ state1.op = state2.op = NULL; ++ state1.buff = buff1; ++ state2.buff = buff2; ++ state1.desc = state2.desc = rr_desc; ++ ++ state1.ip += 8; /* skip class, type, ttl */ ++ GETSHORT(rdlen1, state1.ip); ++ if (!CHECK_LEN(header, state1.ip, plen, rdlen1)) ++ return rrsetidx; /* short packet */ ++ state1.end = state1.ip + rdlen1; ++ state2.ip += 8; /* skip class, type, ttl */ ++ GETSHORT(rdlen2, state2.ip); ++ if (!CHECK_LEN(header, state2.ip, plen, rdlen2)) ++ return rrsetidx; /* short packet */ ++ state2.end = state2.ip + rdlen2; ++ ++ while (1) + { +- if (left1 != 0) +- memmove(buff1, buff1 + len1 - left1, left1); +- +- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0) +- { +- quit = 1; +- len1 = end1 - p1; +- memcpy(buff1 + left1, p1, len1); ++ int ok1, ok2; ++ ok1 = get_rdata(header, plen, &state1); ++ ok2 = get_rdata(header, plen, &state2); ++ ++ if (!ok1 && !ok2) ++ { ++ /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */ ++ for (j = i+1; j < rrsetidx-1; j++) ++ rrset[j] = rrset[j+1]; ++ rrsetidx--; ++ i--; ++ break; + } +- len1 += left1; +- +- if (left2 != 0) +- memmove(buff2, buff2 + len2 - left2, left2); +- +- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0) +- { +- quit = 1; +- len2 = end2 - p2; +- memcpy(buff2 + left2, p2, len2); +- } +- len2 += left2; +- +- if (len1 > len2) +- left1 = len1 - len2, left2 = 0, len = len2; +- else +- left2 = len2 - len1, left1 = 0, len = len1; +- +- rc = (len == 0) ? 0 : memcmp(buff1, buff2, len); +- +- if (rc > 0 || (rc == 0 && quit && len1 > len2)) ++ else if (ok1 && (!ok2 || *state1.op > *state2.op)) + { + unsigned char *tmp = rrset[i+1]; + rrset[i+1] = rrset[i]; + rrset[i] = tmp; +- swap = quit = 1; +- } +- else if (rc == 0 && quit && len1 == len2) +- { +- /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */ +- for (j = i+1; j < rrsetidx-1; j++) +- rrset[j] = rrset[j+1]; +- rrsetidx--; +- i--; ++ swap = 1; ++ break; + } +- else if (rc < 0) +- quit = 1; ++ else if (ok2 && (!ok1 || *state2.op > *state1.op)) ++ break; ++ ++ /* arrive here when bytes are equal, go round the loop again ++ and compare the next ones. */ + } + } + } while (swap); +@@ -569,12 +575,15 @@ static int validate_rrset(time_t now, st + wire_len = to_wire(keyname); + hash->update(ctx, (unsigned int)wire_len, (unsigned char*)keyname); + from_wire(keyname); ++ ++#define RRBUFLEN 300 /* Most RRs are smaller than this. */ + + for (i = 0; i < rrsetidx; ++i) + { +- int seg; +- unsigned char *end, *cp; +- u16 len, *dp; ++ int j; ++ struct rdata_state state; ++ u16 len; ++ unsigned char rrbuf[RRBUFLEN]; + + p = rrset[i]; + +@@ -586,12 +595,11 @@ static int validate_rrset(time_t now, st + /* if more labels than in RRsig name, hash *.<no labels in rrsig labels field> 4035 5.3.2 */ + if (labels < name_labels) + { +- int k; +- for (k = name_labels - labels; k != 0; k--) ++ for (j = name_labels - labels; j != 0; j--) + { + while (*name_start != '.' && *name_start != 0) + name_start++; +- if (k != 1 && *name_start == '.') ++ if (j != 1 && *name_start == '.') + name_start++; + } + +@@ -612,24 +620,44 @@ static int validate_rrset(time_t now, st + if (!CHECK_LEN(header, p, plen, rdlen)) + return STAT_BOGUS; + +- end = p + rdlen; +- +- /* canonicalise rdata and calculate length of same, use name buffer as workspace. +- Note that name buffer is twice MAXDNAME long in DNSSEC mode. */ +- cp = p; +- dp = rr_desc; +- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg); +- len += end - cp; +- len = htons(len); ++ /* canonicalise rdata and calculate length of same, use ++ name buffer as workspace for get_rdata. */ ++ state.ip = p; ++ state.op = NULL; ++ state.desc = rr_desc; ++ state.buff = name; ++ state.end = p + rdlen; ++ ++ for (j = 0; get_rdata(header, plen, &state); j++) ++ if (j < RRBUFLEN) ++ rrbuf[j] = *state.op; ++ ++ len = htons((u16)j); + hash->update(ctx, 2, (unsigned char *)&len); ++ ++ /* If the RR is shorter than RRBUFLEN (most of them, in practice) ++ then we can just digest it now. If it exceeds RRBUFLEN we have to ++ go back to the start and do it in chunks. */ ++ if (j >= RRBUFLEN) ++ { ++ state.ip = p; ++ state.op = NULL; ++ state.desc = rr_desc; ++ ++ for (j = 0; get_rdata(header, plen, &state); j++) ++ { ++ rrbuf[j] = *state.op; ++ ++ if (j == RRBUFLEN - 1) ++ { ++ hash->update(ctx, RRBUFLEN, rrbuf); ++ j = -1; ++ } ++ } ++ } + +- /* Now canonicalise again and digest. */ +- cp = p; +- dp = rr_desc; +- while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp))) +- hash->update(ctx, seg, (unsigned char *)name); +- if (cp != end) +- hash->update(ctx, end - cp, cp); ++ if (j != 0) ++ hash->update(ctx, j, rrbuf); + } + + hash->digest(ctx, hash->digest_size, digest); diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch new file mode 100644 index 0000000000..f7ff4b27cc --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch @@ -0,0 +1,98 @@ +From 257ac0c5f7732cbc6aa96fdd3b06602234593aca Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 12 Nov 2020 18:49:23 +0000 +Subject: [PATCH] Check destination of DNS UDP query replies. + +At any time, dnsmasq will have a set of sockets open, bound to +random ports, on which it sends queries to upstream nameservers. +This patch fixes the existing problem that a reply for ANY in-flight +query would be accepted via ANY open port, which increases the +chances of an attacker flooding answers "in the blind" in an +attempt to poison the DNS cache. CERT VU#434904 refers. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 6 +++++- + src/forward.c | 37 ++++++++++++++++++++++++++++--------- + 2 files changed, 33 insertions(+), 10 deletions(-) + +CVE: CVE-2020-25684 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -16,7 +16,7 @@ + + #include "dnsmasq.h" + +-static struct frec *lookup_frec(unsigned short id, void *hash); ++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); +@@ -805,7 +805,7 @@ void reply_query(int fd, int family, tim + crc = questions_crc(header, n, daemon->namebuff); + #endif + +- if (!(forward = lookup_frec(ntohs(header->id), hash))) ++ if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) + return; + + #ifdef HAVE_DUMPFILE +@@ -2338,14 +2338,25 @@ struct frec *get_new_frec(time_t now, in + } + + /* crc is all-ones if not known. */ +-static struct frec *lookup_frec(unsigned short id, void *hash) ++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) + { + struct frec *f; + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && + (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) +- return f; ++ { ++ /* sent from random port */ ++ if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) ++ return f; ++ ++ if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) ++ return f; ++ ++ /* sent to upstream from bound socket. */ ++ if (f->sentto->sfd && f->sentto->sfd->fd == fd) ++ return f; ++ } + + return NULL; + } +@@ -2406,12 +2417,20 @@ void server_gone(struct server *server) + static unsigned short get_id(void) + { + unsigned short ret = 0; ++ struct frec *f; + +- do +- ret = rand16(); +- while (lookup_frec(ret, NULL)); +- +- return ret; ++ while (1) ++ { ++ ret = rand16(); ++ ++ /* ensure id is unique. */ ++ for (f = daemon->frec_list; f; f = f->next) ++ if (f->sentto && f->new_id == ret) ++ break; ++ ++ if (!f) ++ return ret; ++ } + } + + diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch new file mode 100644 index 0000000000..5eb582c671 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch @@ -0,0 +1,587 @@ +From 2d765867c597db18be9d876c9c17e2c0fe1953cd Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 12 Nov 2020 22:06:07 +0000 +Subject: [PATCH] Use SHA-256 to provide security against DNS cache poisoning. + +Use the SHA-256 hash function to verify that DNS answers +received are for the questions originally asked. This replaces +the slightly insecure SHA-1 (when compiled with DNSSEC) or +the very insecure CRC32 (otherwise). Refer: CERT VU#434904. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 5 + + Makefile | 3 +- + bld/Android.mk | 2 +- + src/dnsmasq.h | 11 +- + src/dnssec.c | 31 ----- + src/forward.c | 43 ++----- + src/hash_questions.c | 281 +++++++++++++++++++++++++++++++++++++++++++ + src/rfc1035.c | 49 -------- + 8 files changed, 301 insertions(+), 124 deletions(-) + create mode 100644 src/hash_questions.c + +CVE: CVE-2020-25685 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] +Comment: No change in any hunk + +Index: dnsmasq-2.81/Makefile +=================================================================== +--- dnsmasq-2.81.orig/Makefile ++++ dnsmasq-2.81/Makefile +@@ -77,7 +77,8 @@ objs = cache.o rfc1035.o util.o option.o + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +- poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o ++ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ ++ metrics.o hash_questions.o + + hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h metrics.h +Index: dnsmasq-2.81/bld/Android.mk +=================================================================== +--- dnsmasq-2.81.orig/bld/Android.mk ++++ dnsmasq-2.81/bld/Android.mk +@@ -11,7 +11,7 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c + radv.c slaac.c auth.c ipset.c domain.c \ + dnssec.c dnssec-openssl.c blockdata.c tables.c \ + loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \ +- crypto.c dump.c ubus.c ++ crypto.c dump.c ubus.c metrics.c hash_questions.c + + LOCAL_MODULE := dnsmasq + +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -654,11 +654,7 @@ struct hostsfile { + #define FREC_TEST_PKTSZ 256 + #define FREC_HAS_EXTRADATA 512 + +-#ifdef HAVE_DNSSEC +-#define HASH_SIZE 20 /* SHA-1 digest size */ +-#else +-#define HASH_SIZE sizeof(int) +-#endif ++#define HASH_SIZE 32 /* SHA-256 digest size */ + + struct frec { + union mysockaddr source; +@@ -1218,7 +1214,6 @@ int check_for_bogus_wildcard(struct dns_ + struct bogus_addr *baddr, time_t now); + int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr); + int check_for_local_domain(char *name, time_t now); +-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name); + size_t resize_packet(struct dns_header *header, size_t plen, + unsigned char *pheader, size_t hlen); + int add_resource_record(struct dns_header *header, char *limit, int *truncp, +@@ -1243,9 +1238,11 @@ int dnssec_validate_reply(time_t now, st + int check_unsigned, int *neganswer, int *nons, int *nsec_ttl); + int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); +-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); + int setup_timestamp(void); + ++/* hash_questions.c */ ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name); ++ + /* crypto.c */ + const struct nettle_hash *hash_find(char *name); + int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); +Index: dnsmasq-2.81/src/dnssec.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnssec.c ++++ dnsmasq-2.81/src/dnssec.c +@@ -2084,35 +2084,4 @@ size_t dnssec_generate_query(struct dns_ + return ret; + } + +-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name) +-{ +- int q; +- unsigned int len; +- unsigned char *p = (unsigned char *)(header+1); +- const struct nettle_hash *hash; +- void *ctx; +- unsigned char *digest; +- +- if (!(hash = hash_find("sha1")) || !hash_init(hash, &ctx, &digest)) +- return NULL; +- +- for (q = ntohs(header->qdcount); q != 0; q--) +- { +- if (!extract_name(header, plen, &p, name, 1, 4)) +- break; /* bad packet */ +- +- len = to_wire(name); +- hash->update(ctx, len, (unsigned char *)name); +- /* CRC the class and type as well */ +- hash->update(ctx, 4, p); +- +- p += 4; +- if (!CHECK_LEN(header, p, plen, 0)) +- break; /* bad packet */ +- } +- +- hash->digest(ctx, hash->digest_size, digest); +- return digest; +-} +- + #endif /* HAVE_DNSSEC */ +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -256,19 +256,16 @@ static int forward_query(int udpfd, unio + union all_addr *addrp = NULL; + unsigned int flags = 0; + struct server *start = NULL; +-#ifdef HAVE_DNSSEC + void *hash = hash_questions(header, plen, daemon->namebuff); ++#ifdef HAVE_DNSSEC + int do_dnssec = 0; +-#else +- unsigned int crc = questions_crc(header, plen, daemon->namebuff); +- void *hash = &crc; + #endif + unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); + (void)do_bit; + + /* may be no servers available. */ +- if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))) ++ if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))) + { + /* If we didn't get an answer advertising a maximal packet in EDNS, + fall back to 1280, which should work everywhere on IPv6. +@@ -769,9 +766,6 @@ void reply_query(int fd, int family, tim + size_t nn; + struct server *server; + void *hash; +-#ifndef HAVE_DNSSEC +- unsigned int crc; +-#endif + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +@@ -798,12 +792,7 @@ void reply_query(int fd, int family, tim + if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME) + server->edns_pktsz = daemon->edns_pktsz; + +-#ifdef HAVE_DNSSEC + hash = hash_questions(header, n, daemon->namebuff); +-#else +- hash = &crc; +- crc = questions_crc(header, n, daemon->namebuff); +-#endif + + if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) + return; +@@ -1115,8 +1104,7 @@ void reply_query(int fd, int family, tim + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (union all_addr *)&(server->addr.in6.sin6_addr), + querystr("dnssec-query", querytype)); + +- if ((hash = hash_questions(header, nn, daemon->namebuff))) +- memcpy(new->hash, hash, HASH_SIZE); ++ memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE); + new->new_id = get_id(); + header->id = htons(new->new_id); + /* Save query for retransmission */ +@@ -1969,15 +1957,9 @@ unsigned char *tcp_request(int confd, ti + if (!flags && last_server) + { + struct server *firstsendto = NULL; +-#ifdef HAVE_DNSSEC +- unsigned char *newhash, hash[HASH_SIZE]; +- if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff))) +- memcpy(hash, newhash, HASH_SIZE); +- else +- memset(hash, 0, HASH_SIZE); +-#else +- unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff); +-#endif ++ unsigned char hash[HASH_SIZE]; ++ memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE); ++ + /* Loop round available servers until we succeed in connecting to one. + Note that this code subtly ensures that consecutive queries on this connection + which can go to the same server, do so. */ +@@ -2116,20 +2098,11 @@ unsigned char *tcp_request(int confd, ti + /* If the crc of the question section doesn't match the crc we sent, then + someone might be attempting to insert bogus values into the cache by + sending replies containing questions and bogus answers. */ +-#ifdef HAVE_DNSSEC +- newhash = hash_questions(header, (unsigned int)m, daemon->namebuff); +- if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0) ++ if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0) + { + m = 0; + break; + } +-#else +- if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff)) +- { +- m = 0; +- break; +- } +-#endif + + m = process_reply(header, now, last_server, (unsigned int)m, + option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, +@@ -2344,7 +2317,7 @@ static struct frec *lookup_frec(unsigned + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && +- (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) ++ (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ + if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) +Index: dnsmasq-2.81/src/hash_questions.c +=================================================================== +--- /dev/null ++++ dnsmasq-2.81/src/hash_questions.c +@@ -0,0 +1,281 @@ ++/* Copyright (c) 2012-2020 Simon Kelley ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 dated June, 1991, or ++ (at your option) version 3 dated 29 June, 2007. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see <http://www.gnu.org/licenses/>. ++*/ ++ ++ ++/* Hash the question section. This is used to safely detect query ++ retransmission and to detect answers to questions we didn't ask, which ++ might be poisoning attacks. Note that we decode the name rather ++ than CRC the raw bytes, since replies might be compressed differently. ++ We ignore case in the names for the same reason. ++ ++ The hash used is SHA-256. If we're building with DNSSEC support, ++ we use the Nettle cypto library. If not, we prefer not to ++ add a dependency on Nettle, and use a stand-alone implementaion. ++*/ ++ ++#include "dnsmasq.h" ++ ++#ifdef HAVE_DNSSEC ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) ++{ ++ int q; ++ unsigned char *p = (unsigned char *)(header+1); ++ const struct nettle_hash *hash; ++ void *ctx; ++ unsigned char *digest; ++ ++ if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest)) ++ { ++ /* don't think this can ever happen. */ ++ static unsigned char dummy[HASH_SIZE]; ++ static int warned = 0; ++ ++ if (warned) ++ my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object")); ++ warned = 1; ++ ++ return dummy; ++ } ++ ++ for (q = ntohs(header->qdcount); q != 0; q--) ++ { ++ char *cp, c; ++ ++ if (!extract_name(header, plen, &p, name, 1, 4)) ++ break; /* bad packet */ ++ ++ for (cp = name; (c = *cp); cp++) ++ if (c >= 'A' && c <= 'Z') ++ *cp += 'a' - 'A'; ++ ++ hash->update(ctx, cp - name, (unsigned char *)name); ++ /* CRC the class and type as well */ ++ hash->update(ctx, 4, p); ++ ++ p += 4; ++ if (!CHECK_LEN(header, p, plen, 0)) ++ break; /* bad packet */ ++ } ++ ++ hash->digest(ctx, hash->digest_size, digest); ++ return digest; ++} ++ ++#else /* HAVE_DNSSEC */ ++ ++#define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest ++typedef unsigned char BYTE; // 8-bit byte ++typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines ++ ++typedef struct { ++ BYTE data[64]; ++ WORD datalen; ++ unsigned long long bitlen; ++ WORD state[8]; ++} SHA256_CTX; ++ ++static void sha256_init(SHA256_CTX *ctx); ++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); ++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]); ++ ++ ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) ++{ ++ int q; ++ unsigned char *p = (unsigned char *)(header+1); ++ SHA256_CTX ctx; ++ static BYTE digest[SHA256_BLOCK_SIZE]; ++ ++ sha256_init(&ctx); ++ ++ for (q = ntohs(header->qdcount); q != 0; q--) ++ { ++ char *cp, c; ++ ++ if (!extract_name(header, plen, &p, name, 1, 4)) ++ break; /* bad packet */ ++ ++ for (cp = name; (c = *cp); cp++) ++ if (c >= 'A' && c <= 'Z') ++ *cp += 'a' - 'A'; ++ ++ sha256_update(&ctx, (BYTE *)name, cp - name); ++ /* CRC the class and type as well */ ++ sha256_update(&ctx, (BYTE *)p, 4); ++ ++ p += 4; ++ if (!CHECK_LEN(header, p, plen, 0)) ++ break; /* bad packet */ ++ } ++ ++ sha256_final(&ctx, digest); ++ return (unsigned char *)digest; ++} ++ ++/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms ++ and was written by Brad Conte (brad@bradconte.com), to whom all credit is given. ++ ++ This code is in the public domain, and the copyright notice at the head of this ++ file does not apply to it. ++*/ ++ ++ ++/****************************** MACROS ******************************/ ++#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b)))) ++#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b)))) ++ ++#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) ++#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) ++#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22)) ++#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25)) ++#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3)) ++#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10)) ++ ++/**************************** VARIABLES *****************************/ ++static const WORD k[64] = { ++ 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, ++ 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, ++ 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, ++ 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, ++ 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, ++ 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070, ++ 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, ++ 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 ++}; ++ ++/*********************** FUNCTION DEFINITIONS ***********************/ ++static void sha256_transform(SHA256_CTX *ctx, const BYTE data[]) ++{ ++ WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64]; ++ ++ for (i = 0, j = 0; i < 16; ++i, j += 4) ++ m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]); ++ for ( ; i < 64; ++i) ++ m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16]; ++ ++ a = ctx->state[0]; ++ b = ctx->state[1]; ++ c = ctx->state[2]; ++ d = ctx->state[3]; ++ e = ctx->state[4]; ++ f = ctx->state[5]; ++ g = ctx->state[6]; ++ h = ctx->state[7]; ++ ++ for (i = 0; i < 64; ++i) ++ { ++ t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i]; ++ t2 = EP0(a) + MAJ(a,b,c); ++ h = g; ++ g = f; ++ f = e; ++ e = d + t1; ++ d = c; ++ c = b; ++ b = a; ++ a = t1 + t2; ++ } ++ ++ ctx->state[0] += a; ++ ctx->state[1] += b; ++ ctx->state[2] += c; ++ ctx->state[3] += d; ++ ctx->state[4] += e; ++ ctx->state[5] += f; ++ ctx->state[6] += g; ++ ctx->state[7] += h; ++} ++ ++static void sha256_init(SHA256_CTX *ctx) ++{ ++ ctx->datalen = 0; ++ ctx->bitlen = 0; ++ ctx->state[0] = 0x6a09e667; ++ ctx->state[1] = 0xbb67ae85; ++ ctx->state[2] = 0x3c6ef372; ++ ctx->state[3] = 0xa54ff53a; ++ ctx->state[4] = 0x510e527f; ++ ctx->state[5] = 0x9b05688c; ++ ctx->state[6] = 0x1f83d9ab; ++ ctx->state[7] = 0x5be0cd19; ++} ++ ++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len) ++{ ++ WORD i; ++ ++ for (i = 0; i < len; ++i) ++ { ++ ctx->data[ctx->datalen] = data[i]; ++ ctx->datalen++; ++ if (ctx->datalen == 64) { ++ sha256_transform(ctx, ctx->data); ++ ctx->bitlen += 512; ++ ctx->datalen = 0; ++ } ++ } ++} ++ ++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) ++{ ++ WORD i; ++ ++ i = ctx->datalen; ++ ++ // Pad whatever data is left in the buffer. ++ if (ctx->datalen < 56) ++ { ++ ctx->data[i++] = 0x80; ++ while (i < 56) ++ ctx->data[i++] = 0x00; ++ } ++ else ++ { ++ ctx->data[i++] = 0x80; ++ while (i < 64) ++ ctx->data[i++] = 0x00; ++ sha256_transform(ctx, ctx->data); ++ memset(ctx->data, 0, 56); ++ } ++ ++ // Append to the padding the total message's length in bits and transform. ++ ctx->bitlen += ctx->datalen * 8; ++ ctx->data[63] = ctx->bitlen; ++ ctx->data[62] = ctx->bitlen >> 8; ++ ctx->data[61] = ctx->bitlen >> 16; ++ ctx->data[60] = ctx->bitlen >> 24; ++ ctx->data[59] = ctx->bitlen >> 32; ++ ctx->data[58] = ctx->bitlen >> 40; ++ ctx->data[57] = ctx->bitlen >> 48; ++ ctx->data[56] = ctx->bitlen >> 56; ++ sha256_transform(ctx, ctx->data); ++ ++ // Since this implementation uses little endian byte ordering and SHA uses big endian, ++ // reverse all the bytes when copying the final state to the output hash. ++ for (i = 0; i < 4; ++i) ++ { ++ hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff; ++ } ++} ++ ++#endif +Index: dnsmasq-2.81/src/rfc1035.c +=================================================================== +--- dnsmasq-2.81.orig/src/rfc1035.c ++++ dnsmasq-2.81/src/rfc1035.c +@@ -333,55 +333,6 @@ unsigned char *skip_section(unsigned cha + return ansp; + } + +-/* CRC the question section. This is used to safely detect query +- retransmission and to detect answers to questions we didn't ask, which +- might be poisoning attacks. Note that we decode the name rather +- than CRC the raw bytes, since replies might be compressed differently. +- We ignore case in the names for the same reason. Return all-ones +- if there is not question section. */ +-#ifndef HAVE_DNSSEC +-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name) +-{ +- int q; +- unsigned int crc = 0xffffffff; +- unsigned char *p1, *p = (unsigned char *)(header+1); +- +- for (q = ntohs(header->qdcount); q != 0; q--) +- { +- if (!extract_name(header, plen, &p, name, 1, 4)) +- return crc; /* bad packet */ +- +- for (p1 = (unsigned char *)name; *p1; p1++) +- { +- int i = 8; +- char c = *p1; +- +- if (c >= 'A' && c <= 'Z') +- c += 'a' - 'A'; +- +- crc ^= c << 24; +- while (i--) +- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; +- } +- +- /* CRC the class and type as well */ +- for (p1 = p; p1 < p+4; p1++) +- { +- int i = 8; +- crc ^= *p1 << 24; +- while (i--) +- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; +- } +- +- p += 4; +- if (!CHECK_LEN(header, p, plen, 0)) +- return crc; /* bad packet */ +- } +- +- return crc; +-} +-#endif +- + size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen) + { + unsigned char *ansp = skip_questions(header, plen); diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch new file mode 100644 index 0000000000..302c42ccca --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch @@ -0,0 +1,175 @@ +From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Wed, 25 Nov 2020 17:18:55 +0100 +Subject: [PATCH] Support hash function from nettle (only) + +Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from +nettle, but keep DNSSEC disabled at build time. Skips use of internal +hash implementation without support for validation built-in. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + Makefile | 8 +++++--- + bld/pkg-wrapper | 41 ++++++++++++++++++++++------------------- + src/config.h | 8 ++++++++ + src/crypto.c | 7 +++++++ + src/dnsmasq.h | 2 +- + src/hash_questions.c | 2 +- + 6 files changed, 44 insertions(+), 24 deletions(-) + +CVE: CVE-2020-25685 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] +Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile + +Index: dnsmasq-2.81/Makefile +=================================================================== +--- dnsmasq-2.81.orig/Makefile ++++ dnsmasq-2.81/Makefile +@@ -53,7 +53,7 @@ top?=$(CURDIR) + + dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` + dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` +-ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus` ++ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'` + idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` + idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` + idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2` +@@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) | $(top)/ + ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` + lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua` + lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua` +-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` +-nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` ++nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` ++nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle` + gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` + sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` + version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' +Index: dnsmasq-2.81/bld/pkg-wrapper +=================================================================== +--- dnsmasq-2.81.orig/bld/pkg-wrapper ++++ dnsmasq-2.81/bld/pkg-wrapper +@@ -1,35 +1,37 @@ + #!/bin/sh + +-search=$1 +-shift +-pkg=$1 +-shift +-op=$1 +-shift +- + in=`cat` + +-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ +- echo $in | grep $search >/dev/null 2>&1; then ++search() ++{ ++ grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \ ++ echo $in | grep $1 >/dev/null 2>&1 ++} ++ ++while [ "$#" -gt 0 ]; do ++ search=$1 ++ pkg=$2 ++ op=$3 ++ lib=$4 ++ shift 4 ++if search "$search"; then ++ + # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP + if [ $op = "--copy" ]; then + if [ -z "$pkg" ]; then +- pkg="$*" +- elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ +- echo $in | grep $pkg >/dev/null 2>&1; then ++ pkg="$lib" ++ elif search "$pkg"; then + pkg="" + else +- pkg="$*" ++ pkg="$lib" + fi +- elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then +- pkg=`$pkg --static $op $*` ++ elif search "${search}_STATIC"; then ++ pkg=`$pkg --static $op $lib` + else +- pkg=`$pkg $op $*` ++ pkg=`$pkg $op $lib` + fi + +- if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then ++ if search "${search}_STATIC"; then + if [ $op = "--libs" ] || [ $op = "--copy" ]; then + echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic" + else +@@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:] + fi + fi + ++done +Index: dnsmasq-2.81/src/config.h +=================================================================== +--- dnsmasq-2.81.orig/src/config.h ++++ dnsmasq-2.81/src/config.h +@@ -118,6 +118,9 @@ HAVE_AUTH + define this to include the facility to act as an authoritative DNS + server for one or more zones. + ++HAVE_NETTLEHASH ++ include just hash function from nettle, but no DNSSEC. ++ + HAVE_DNSSEC + include DNSSEC validator. + +@@ -185,6 +188,7 @@ RESOLVFILE + /* #define HAVE_IDN */ + /* #define HAVE_LIBIDN2 */ + /* #define HAVE_CONNTRACK */ ++/* #define HAVE_NETTLEHASH */ + /* #define HAVE_DNSSEC */ + + +@@ -418,6 +422,10 @@ static char *compile_opts = + "no-" + #endif + "auth " ++#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC) ++"no-" ++#endif ++"nettlehash " + #ifndef HAVE_DNSSEC + "no-" + #endif +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head + # include <nettle/nettle-meta.h> + #endif + ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) ++# include <nettle/nettle-meta.h> ++#endif + /* daemon is function in the C library.... */ + #define daemon dnsmasq_daemon + +Index: dnsmasq-2.81/src/hash_questions.c +=================================================================== +--- dnsmasq-2.81.orig/src/hash_questions.c ++++ dnsmasq-2.81/src/hash_questions.c +@@ -28,7 +28,7 @@ + + #include "dnsmasq.h" + +-#ifdef HAVE_DNSSEC ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) + unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) + { + int q; diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch new file mode 100644 index 0000000000..fd9d0a9b16 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch @@ -0,0 +1,332 @@ +From 15b60ddf935a531269bb8c68198de012a4967156 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Wed, 18 Nov 2020 18:34:55 +0000 +Subject: [PATCH] Handle multiple identical near simultaneous DNS queries + better. + +Previously, such queries would all be forwarded +independently. This is, in theory, inefficent but in practise +not a problem, _except_ that is means that an answer for any +of the forwarded queries will be accepted and cached. +An attacker can send a query multiple times, and for each repeat, +another {port, ID} becomes capable of accepting the answer he is +sending in the blind, to random IDs and ports. The chance of a +succesful attack is therefore multiplied by the number of repeats +of the query. The new behaviour detects repeated queries and +merely stores the clients sending repeats so that when the +first query completes, the answer can be sent to all the +clients who asked. Refer: CERT VU#434904. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 16 +++++- + src/dnsmasq.h | 19 ++++--- + src/forward.c | 142 ++++++++++++++++++++++++++++++++++++++++++-------- + 3 files changed, 147 insertions(+), 30 deletions(-) + +CVE: CVE-2020-25686 +Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -655,19 +655,24 @@ struct hostsfile { + #define FREC_DO_QUESTION 64 + #define FREC_ADDED_PHEADER 128 + #define FREC_TEST_PKTSZ 256 +-#define FREC_HAS_EXTRADATA 512 ++#define FREC_HAS_EXTRADATA 512 ++#define FREC_HAS_PHEADER 1024 + + #define HASH_SIZE 32 /* SHA-256 digest size */ + + struct frec { +- union mysockaddr source; +- union all_addr dest; ++ struct frec_src { ++ union mysockaddr source; ++ union all_addr dest; ++ unsigned int iface, log_id; ++ unsigned short orig_id; ++ struct frec_src *next; ++ } frec_src; + struct server *sentto; /* NULL means free */ + struct randfd *rfd4; + struct randfd *rfd6; +- unsigned int iface; +- unsigned short orig_id, new_id; +- int log_id, fd, forwardall, flags; ++ unsigned short new_id; ++ int fd, forwardall, flags; + time_t time; + unsigned char *hash[HASH_SIZE]; + #ifdef HAVE_DNSSEC +@@ -1085,6 +1090,8 @@ extern struct daemon { + int back_to_the_future; + #endif + struct frec *frec_list; ++ struct frec_src *free_frec_src; ++ int frec_src_count; + struct serverfd *sfds; + struct irec *interfaces; + struct listener *listeners; +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -20,6 +20,8 @@ static struct frec *lookup_frec(unsigned + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); ++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags); ++ + static unsigned short get_id(void); + static void free_frec(struct frec *f); + +@@ -255,6 +257,7 @@ static int forward_query(int udpfd, unio + int type = SERV_DO_DNSSEC, norebind = 0; + union all_addr *addrp = NULL; + unsigned int flags = 0; ++ unsigned int fwd_flags = 0; + struct server *start = NULL; + void *hash = hash_questions(header, plen, daemon->namebuff); + #ifdef HAVE_DNSSEC +@@ -263,7 +266,18 @@ static int forward_query(int udpfd, unio + unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); + (void)do_bit; +- ++ ++ if (header->hb4 & HB4_CD) ++ fwd_flags |= FREC_CHECKING_DISABLED; ++ if (ad_reqd) ++ fwd_flags |= FREC_AD_QUESTION; ++ if (oph) ++ fwd_flags |= FREC_HAS_PHEADER; ++#ifdef HAVE_DNSSEC ++ if (do_bit) ++ fwd_flags |= FREC_DO_QUESTION; ++#endif ++ + /* may be no servers available. */ + if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))) + { +@@ -336,6 +350,39 @@ static int forward_query(int udpfd, unio + } + else + { ++ /* Query from new source, but the same query may be in progress ++ from another source. If so, just add this client to the ++ list that will get the reply. ++ ++ Note that is the EDNS client subnet option is in use, we can't do this, ++ as the clients (and therefore query EDNS options) will be different ++ for each query. The EDNS subnet code has checks to avoid ++ attacks in this case. */ ++ if (!option_bool(OPT_CLIENT_SUBNET) && (forward = lookup_frec_by_query(hash, fwd_flags))) ++ { ++ /* Note whine_malloc() zeros memory. */ ++ if (!daemon->free_frec_src && ++ daemon->frec_src_count < daemon->ftabsize && ++ (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) ++ daemon->frec_src_count++; ++ ++ /* If we've been spammed with many duplicates, just drop the query. */ ++ if (daemon->free_frec_src) ++ { ++ struct frec_src *new = daemon->free_frec_src; ++ daemon->free_frec_src = new->next; ++ new->next = forward->frec_src.next; ++ forward->frec_src.next = new; ++ new->orig_id = ntohs(header->id); ++ new->source = *udpaddr; ++ new->dest = *dst_addr; ++ new->log_id = daemon->log_id; ++ new->iface = dst_iface; ++ } ++ ++ return 1; ++ } ++ + if (gotname) + flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); + +@@ -343,22 +390,22 @@ static int forward_query(int udpfd, unio + do_dnssec = type & SERV_DO_DNSSEC; + #endif + type &= ~SERV_DO_DNSSEC; +- ++ + if (daemon->servers && !flags) + forward = get_new_frec(now, NULL, NULL); + /* table full - flags == 0, return REFUSED */ + + if (forward) + { +- forward->source = *udpaddr; +- forward->dest = *dst_addr; +- forward->iface = dst_iface; +- forward->orig_id = ntohs(header->id); ++ forward->frec_src.source = *udpaddr; ++ forward->frec_src.orig_id = ntohs(header->id); ++ forward->frec_src.dest = *dst_addr; ++ forward->frec_src.iface = dst_iface; + forward->new_id = get_id(); + forward->fd = udpfd; + memcpy(forward->hash, hash, HASH_SIZE); + forward->forwardall = 0; +- forward->flags = 0; ++ forward->flags = fwd_flags; + if (norebind) + forward->flags |= FREC_NOREBIND; + if (header->hb4 & HB4_CD) +@@ -413,9 +460,9 @@ static int forward_query(int udpfd, unio + unsigned char *pheader; + + /* If a query is retried, use the log_id for the retry when logging the answer. */ +- forward->log_id = daemon->log_id; ++ forward->frec_src.log_id = daemon->log_id; + +- plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->source, now, &subnet); ++ plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet); + + if (subnet) + forward->flags |= FREC_HAS_SUBNET; +@@ -552,7 +599,7 @@ static int forward_query(int udpfd, unio + return 1; + + /* could not send on, prepare to return */ +- header->id = htons(forward->orig_id); ++ header->id = htons(forward->frec_src.orig_id); + free_frec(forward); /* cancel */ + } + +@@ -804,8 +851,8 @@ void reply_query(int fd, int family, tim + + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ +- daemon->log_display_id = forward->log_id; +- daemon->log_source_addr = &forward->source; ++ daemon->log_display_id = forward->frec_src.log_id; ++ daemon->log_source_addr = &forward->frec_src.source; + + if (daemon->ignore_addr && RCODE(header) == NOERROR && + check_for_ignored_address(header, n, daemon->ignore_addr)) +@@ -1077,6 +1124,7 @@ void reply_query(int fd, int family, tim + new->sentto = server; + new->rfd4 = NULL; + new->rfd6 = NULL; ++ new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; + +@@ -1212,9 +1260,11 @@ void reply_query(int fd, int family, tim + + if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, + forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, +- forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source))) ++ forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source))) + { +- header->id = htons(forward->orig_id); ++ struct frec_src *src; ++ ++ header->id = htons(forward->frec_src.orig_id); + header->hb4 |= HB4_RA; /* recursion if available */ + #ifdef HAVE_DNSSEC + /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size +@@ -1230,13 +1280,26 @@ void reply_query(int fd, int family, tim + } + #endif + ++ for (src = &forward->frec_src; src; src = src->next) ++ { ++ header->id = htons(src->orig_id); ++ + #ifdef HAVE_DUMPFILE +- dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source); ++ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source); + #endif +- +- send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, +- &forward->source, &forward->dest, forward->iface); ++ ++ send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, ++ &src->source, &src->dest, src->iface); ++ ++ if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src) ++ { ++ daemon->log_display_id = src->log_id; ++ daemon->log_source_addr = &src->source; ++ log_query(F_UPSTREAM, "query", NULL, "duplicate"); ++ } ++ } + } ++ + free_frec(forward); /* cancel */ + } + } +@@ -2198,6 +2261,17 @@ void free_rfd(struct randfd *rfd) + + static void free_frec(struct frec *f) + { ++ struct frec_src *src, *tmp; ++ ++ /* add back to freelist of not the record builtin to every frec. */ ++ for (src = f->frec_src.next; src; src = tmp) ++ { ++ tmp = src->next; ++ src->next = daemon->free_frec_src; ++ daemon->free_frec_src = src; ++ } ++ ++ f->frec_src.next = NULL; + free_rfd(f->rfd4); + f->rfd4 = NULL; + f->sentto = NULL; +@@ -2339,17 +2413,39 @@ static struct frec *lookup_frec_by_sende + void *hash) + { + struct frec *f; ++ struct frec_src *src; ++ ++ for (f = daemon->frec_list; f; f = f->next) ++ if (f->sentto && ++ !(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) && ++ memcmp(hash, f->hash, HASH_SIZE) == 0) ++ for (src = &f->frec_src; src; src = src->next) ++ if (src->orig_id == id && ++ sockaddr_isequal(&src->source, addr)) ++ return f; ++ ++ return NULL; ++} ++ ++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags) ++{ ++ struct frec *f; ++ ++ /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below ++ ensures that no frec created for internal DNSSEC query can be returned here. */ ++ ++#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \ ++ | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY) + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && +- f->orig_id == id && +- memcmp(hash, f->hash, HASH_SIZE) == 0 && +- sockaddr_isequal(&f->source, addr)) ++ (f->flags & FLAGMASK) == flags && ++ memcmp(hash, f->hash, HASH_SIZE) == 0) + return f; +- ++ + return NULL; + } +- ++ + /* Send query packet again, if we can. */ + void resend_query() + { diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch new file mode 100644 index 0000000000..a6ffd37260 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch @@ -0,0 +1,63 @@ +From 6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 4 Dec 2020 18:35:11 +0000 +Subject: [PATCH] Small cleanups in frec_src datastucture handling. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + src/forward.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +CVE: CVE-2020-25686 +Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -364,7 +364,10 @@ static int forward_query(int udpfd, unio + if (!daemon->free_frec_src && + daemon->frec_src_count < daemon->ftabsize && + (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) +- daemon->frec_src_count++; ++ { ++ daemon->frec_src_count++; ++ daemon->free_frec_src->next = NULL; ++ } + + /* If we've been spammed with many duplicates, just drop the query. */ + if (daemon->free_frec_src) +@@ -401,6 +404,7 @@ static int forward_query(int udpfd, unio + forward->frec_src.orig_id = ntohs(header->id); + forward->frec_src.dest = *dst_addr; + forward->frec_src.iface = dst_iface; ++ forward->frec_src.next = NULL; + forward->new_id = get_id(); + forward->fd = udpfd; + memcpy(forward->hash, hash, HASH_SIZE); +@@ -2261,16 +2265,16 @@ void free_rfd(struct randfd *rfd) + + static void free_frec(struct frec *f) + { +- struct frec_src *src, *tmp; +- +- /* add back to freelist of not the record builtin to every frec. */ +- for (src = f->frec_src.next; src; src = tmp) ++ struct frec_src *last; ++ ++ /* add back to freelist if not the record builtin to every frec. */ ++ for (last = f->frec_src.next; last && last->next; last = last->next) ; ++ if (last) + { +- tmp = src->next; +- src->next = daemon->free_frec_src; +- daemon->free_frec_src = src; ++ last->next = daemon->free_frec_src; ++ daemon->free_frec_src = f->frec_src.next; + } +- ++ + f->frec_src.next = NULL; + free_rfd(f->rfd4); + f->rfd4 = NULL; diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch new file mode 100644 index 0000000000..5580cd409f --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch @@ -0,0 +1,30 @@ +From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12674 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c ++++ b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); +-- +2.11.0 diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch index f86235076e..3f87714dcc 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch @@ -13,11 +13,11 @@ Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> configure.ac | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) -diff --git a/configure.ac b/configure.ac -index 3b32614..94ec002 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -519,13 +519,10 @@ have_ioloop=no +Index: dovecot-2.2.36.4/configure.ac +=================================================================== +--- dovecot-2.2.36.4.orig/configure.ac ++++ dovecot-2.2.36.4/configure.ac +@@ -490,13 +490,10 @@ have_ioloop=no if test "$ioloop" = "best" || test "$ioloop" = "epoll"; then AC_CACHE_CHECK([whether we can use epoll],i_cv_epoll_works,[ @@ -34,7 +34,7 @@ index 3b32614..94ec002 100644 ], [ i_cv_epoll_works=yes ], [ -@@ -653,7 +650,7 @@ fi +@@ -596,7 +593,7 @@ fi dnl * Old glibcs have broken posix_fallocate(). Make sure not to use it. dnl * It may also be broken in AIX. AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ @@ -43,7 +43,7 @@ index 3b32614..94ec002 100644 #define _XOPEN_SOURCE 600 #include <stdio.h> #include <stdlib.h> -@@ -662,7 +659,7 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -605,7 +602,7 @@ AC_CACHE_CHECK([whether posix_fallocate( #if defined(__GLIBC__) && (__GLIBC__ < 2 || __GLIBC_MINOR__ < 7) possibly broken posix_fallocate #endif @@ -52,7 +52,7 @@ index 3b32614..94ec002 100644 int fd = creat("conftest.temp", 0600); int ret; if (fd == -1) { -@@ -671,8 +668,6 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -614,8 +611,6 @@ AC_CACHE_CHECK([whether posix_fallocate( } ret = posix_fallocate(fd, 1024, 1024) < 0 ? 1 : 0; unlink("conftest.temp"); @@ -61,6 +61,3 @@ index 3b32614..94ec002 100644 ], [ i_cv_posix_fallocate_works=yes ], [ --- -1.8.4.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch index 65ae9bf910..3170ae8658 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch @@ -18,11 +18,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> src/doveadm/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/src/doveadm/Makefile.am b/src/doveadm/Makefile.am -index c644646..6ae9144 100644 ---- a/src/doveadm/Makefile.am -+++ b/src/doveadm/Makefile.am -@@ -180,8 +180,8 @@ test_libs = \ +Index: dovecot-2.2.36.4/src/doveadm/Makefile.am +=================================================================== +--- dovecot-2.2.36.4.orig/src/doveadm/Makefile.am ++++ dovecot-2.2.36.4/src/doveadm/Makefile.am +@@ -182,8 +182,8 @@ test_libs = \ ../lib/liblib.la test_deps = $(noinst_LTLIBRARIES) $(test_libs) @@ -33,6 +33,3 @@ index c644646..6ae9144 100644 test_doveadm_util_DEPENDENCIES = $(test_deps) check: check-am check-test --- -2.14.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch new file mode 100644 index 0000000000..583f71ca58 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch @@ -0,0 +1,76 @@ +From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:33:31 +0300 +Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish() + helper function + +--- + src/lib-mail/message-parser.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index b1de1950a..aaa8dd8b7 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part *parent) + return part; + } + ++static void message_part_finish(struct message_parser_ctx *ctx) ++{ ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part = ctx->part->parent; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_boundary *boundary, + struct message_block *block_r, bool first_line) + { +- struct message_part *part; + size_t line_size; + + i_assert(ctx->last_boundary == NULL); + + /* get back to parent MIME part, summing the child MIME part sizes + into parent's body sizes */ +- for (part = ctx->part; part != boundary->part; part = part->parent) { +- message_size_add(&part->parent->body_size, &part->body_size); +- message_size_add(&part->parent->body_size, &part->header_size); ++ while (ctx->part != boundary->part) { ++ message_part_finish(ctx); ++ i_assert(ctx->part != NULL); + } +- i_assert(part != NULL); +- ctx->part = part; + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +@@ -1132,13 +1136,8 @@ int message_parser_parse_next_block(struct message_parser_ctx *ctx, + i_assert(ctx->input->eof || ctx->input->closed || + ctx->input->stream_errno != 0 || + ctx->broken_reason != NULL); +- while (ctx->part->parent != NULL) { +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->body_size); +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->header_size); +- ctx->part = ctx->part->parent; +- } ++ while (ctx->part->parent != NULL) ++ message_part_finish(ctx); + } + + if (block_r->size == 0) { +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch new file mode 100644 index 0000000000..9f24320ebf --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch @@ -0,0 +1,71 @@ +From de0da7bc8df55521db8fa787f88e293618c96386 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:34:22 +0300 +Subject: [PATCH 02/13] lib-mail: message-parser - Change message_part_append() + to do all work internally + +--- + src/lib-mail/message-parser.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index aaa8dd8b7..2edf3e7a6 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -167,16 +167,17 @@ static int message_parser_read_more(struct message_parser_ctx *ctx, + return 1; + } + +-static struct message_part * +-message_part_append(pool_t pool, struct message_part *parent) ++static void ++message_part_append(struct message_parser_ctx *ctx) + { ++ struct message_part *parent = ctx->part; + struct message_part *p, *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | + MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0); + +- part = p_new(pool, struct message_part, 1); ++ part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; + for (p = parent; p != NULL; p = p->parent) + p->children_count++; +@@ -192,7 +193,7 @@ message_part_append(pool_t pool, struct message_part *parent) + list = &(*list)->next; + + *list = part; +- return part; ++ ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -220,7 +221,7 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + return parse_next_header_init(ctx, block_r); + } + +@@ -270,7 +271,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + static int parse_next_mime_header_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + ctx->part->flags |= MESSAGE_PART_FLAG_IS_MIME; + + return parse_next_header_init(ctx, block_r); +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch new file mode 100644 index 0000000000..81aead8aad --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch @@ -0,0 +1,37 @@ +Backport of: + +From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12673 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st + if (length == 0 && space == 0) + return 1; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return 0; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return 0; diff --git a/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch new file mode 100644 index 0000000000..e530902350 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch @@ -0,0 +1,49 @@ +From a9800b436fcf1f9633c2b136a9c5cb7a486a8a52 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:36:48 +0300 +Subject: [PATCH 03/13] lib-mail: message-parser - Optimize updating + children_count + +--- + src/lib-mail/message-parser.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 2edf3e7a6..05768a058 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -171,7 +171,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *p, *part, **list; ++ struct message_part *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -179,8 +179,6 @@ message_part_append(struct message_parser_ctx *ctx) + + part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; +- for (p = parent; p != NULL; p = p->parent) +- p->children_count++; + + /* set child position */ + part->physical_pos = +@@ -200,6 +198,7 @@ static void message_part_finish(struct message_parser_ctx *ctx) + { + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part->parent->children_count += 1 + ctx->part->children_count; + ctx->part = ctx->part->parent; + } + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch new file mode 100644 index 0000000000..ba6667fa99 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch @@ -0,0 +1,90 @@ +From 99ee7596712cf0ea0a288b712bc898ecb2b35f9b Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:00:38 +0300 +Subject: [PATCH 04/13] lib-mail: message-parser - Optimize appending new part + to linked list + +--- + src/lib-mail/message-parser.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +Index: dovecot-2.2.36.4/src/lib-mail/message-parser.c +=================================================================== +--- dovecot-2.2.36.4.orig/src/lib-mail/message-parser.c ++++ dovecot-2.2.36.4/src/lib-mail/message-parser.c +@@ -1,7 +1,7 @@ + /* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */ + + #include "lib.h" +-#include "buffer.h" ++#include "array.h" + #include "str.h" + #include "istream.h" + #include "rfc822-parser.h" +@@ -34,6 +34,9 @@ struct message_parser_ctx { + const char *last_boundary; + struct message_boundary *boundaries; + ++ struct message_part **next_part; ++ ARRAY(struct message_part **) next_part_stack; ++ + size_t skip; + char last_chr; + unsigned int want_count; +@@ -171,7 +174,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *part, **list; ++ struct message_part *part; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -186,16 +189,27 @@ message_part_append(struct message_parse + parent->body_size.physical_size + + parent->header_size.physical_size; + +- list = &part->parent->children; +- while (*list != NULL) +- list = &(*list)->next; ++ /* add to parent's linked list */ ++ *ctx->next_part = part; ++ /* update the parent's end-of-linked-list pointer */ ++ struct message_part **next_part = &part->next; ++ array_append(&ctx->next_part_stack, &next_part, 1); ++ /* This part is now the new parent for the next message_part_append() ++ call. Its linked list begins with the children pointer. */ ++ ctx->next_part = &part->children; + +- *list = part; + ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) + { ++ struct message_part **const *parent_next_partp; ++ unsigned int count = array_count(&ctx->next_part_stack); ++ ++ parent_next_partp = array_idx(&ctx->next_part_stack, count-1); ++ array_delete(&ctx->next_part_stack, count-1, 1); ++ ctx->next_part = *parent_next_partp; ++ + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); + ctx->part->parent->children_count += 1 + ctx->part->children_count; +@@ -1062,7 +1076,9 @@ message_parser_init(pool_t part_pool, st + ctx = message_parser_init_int(input, hdr_flags, flags); + ctx->part_pool = part_pool; + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); ++ ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); + return ctx; + } + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch new file mode 100644 index 0000000000..4e63509b45 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch @@ -0,0 +1,45 @@ +From e39c95b248917eb2b596ca55a957f3cbc7fd406f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:10:07 +0300 +Subject: [PATCH 05/13] lib-mail: message-parser - Minor code cleanup to + finding the end of boundary line + +--- + src/lib-mail/message-parser.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index ff4e09e5a..6c6a680b5 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -260,17 +260,16 @@ boundary_line_find(struct message_parser_ctx *ctx, + } + + /* need to find the end of line */ +- if (memchr(data + 2, '\n', size - 2) == NULL && +- size < BOUNDARY_END_MAX_LEN && ++ data += 2; ++ size -= 2; ++ if (memchr(data, '\n', size) == NULL && ++ size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } + +- data += 2; +- size -= 2; +- + *boundary_r = boundary_find(ctx->boundaries, data, size); + if (*boundary_r == NULL) + return -1; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch new file mode 100644 index 0000000000..1012d7983e --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch @@ -0,0 +1,163 @@ +From aed125484a346b4893c1a169088c39fe7ced01f3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:53:12 +0300 +Subject: [PATCH 06/13] lib-mail: message-parser - Truncate excessively long + MIME boundaries + +RFC 2046 requires that the boundaries are a maximum of 70 characters +(excluding the "--" prefix and suffix). We allow 80 characters for a bit of +extra safety. Anything longer than that is truncated and treated the same +as if it was just 80 characters. +--- + src/lib-mail/message-parser.c | 7 ++- + src/lib-mail/test-message-parser.c | 95 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 100 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 6c6a680b5..92f541b02 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -10,7 +10,8 @@ + + /* RFC-2046 requires boundaries are max. 70 chars + "--" prefix + "--" suffix. + We'll add a bit more just in case. */ +-#define BOUNDARY_END_MAX_LEN (70 + 2 + 2 + 10) ++#define BOUNDARY_STRING_MAX_LEN (70 + 10) ++#define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + struct message_boundary { + struct message_boundary *next; +@@ -526,8 +527,10 @@ static void parse_content_type(struct message_parser_ctx *ctx, + rfc2231_parse(&parser, &results); + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { ++ /* truncate excessively long boundaries */ + ctx->last_boundary = +- p_strdup(ctx->parser_pool, results[1]); ++ p_strndup(ctx->parser_pool, results[1], ++ BOUNDARY_STRING_MAX_LEN); + break; + } + } +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 1f1aa1437..94aa3eb7c 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -642,6 +642,100 @@ static void test_message_parser_no_eoh(void) + test_end(); + } + ++static void test_message_parser_long_mime_boundary(void) ++{ ++ /* Close the boundaries in wrong reverse order. But because all ++ boundaries are actually truncated to the same size (..890) it ++ works the same as if all of them were duplicate boundaries. */ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"1234567890123456789012345678901234567890123456789012345678901234567890123456789012\"\n" ++"\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: multipart/mixed; boundary=\"123456789012345678901234567890123456789012345678901234567890123456789012345678901\"\n" ++"\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: multipart/mixed; boundary=\"12345678901234567890123456789012345678901234567890123456789012345678901234567890\"\n" ++"\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"1\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: text/plain\n" ++"\n" ++"22\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: text/plain\n" ++"\n" ++"333\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"4444\n"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts, *part; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser long mime boundary"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ part = parts; ++ test_assert(part->children_count == 6); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 126); ++ test_assert(part->header_size.virtual_size == 126+2); ++ test_assert(part->body_size.lines == 22); ++ test_assert(part->body_size.physical_size == 871); ++ test_assert(part->body_size.virtual_size == 871+22); ++ ++ part = parts->children; ++ test_assert(part->children_count == 5); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 125); ++ test_assert(part->header_size.virtual_size == 125+2); ++ test_assert(part->body_size.lines == 19); ++ test_assert(part->body_size.physical_size == 661); ++ test_assert(part->body_size.virtual_size == 661+19); ++ ++ part = parts->children->children; ++ test_assert(part->children_count == 4); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 124); ++ test_assert(part->header_size.virtual_size == 124+2); ++ test_assert(part->body_size.lines == 16); ++ test_assert(part->body_size.physical_size == 453); ++ test_assert(part->body_size.virtual_size == 453+16); ++ ++ part = parts->children->children->children; ++ for (unsigned int i = 1; i <= 3; i++, part = part->next) { ++ test_assert(part->children_count == 0); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_TEXT | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 26); ++ test_assert(part->header_size.virtual_size == 26+2); ++ test_assert(part->body_size.lines == 0); ++ test_assert(part->body_size.physical_size == i); ++ test_assert(part->body_size.virtual_size == i); ++ } ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + int main(void) + { + static void (*test_functions[])(void) = { +@@ -654,6 +748,7 @@ int main(void) + test_message_parser_garbage_suffix_mime_boundary, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, ++ test_message_parser_long_mime_boundary, + test_message_parser_no_eoh, + NULL + }; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch new file mode 100644 index 0000000000..eeb6c96f1a --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch @@ -0,0 +1,72 @@ +From 5f8de52fec3191a1aa68a399ee2068485737dc4f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 13:06:02 +0300 +Subject: [PATCH 07/13] lib-mail: message-parser - Optimize boundary lookups + when exact boundary is found + +When an exact boundary is found, there's no need to continue looking for +more boundaries. +--- + src/lib-mail/message-parser.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 92f541b02..c2934c761 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -80,8 +80,14 @@ boundary_find(struct message_boundary *boundaries, + while (boundaries != NULL) { + if (boundaries->len <= len && + memcmp(boundaries->boundary, data, boundaries->len) == 0 && +- (best == NULL || best->len < boundaries->len)) ++ (best == NULL || best->len < boundaries->len)) { + best = boundaries; ++ if (best->len == len) { ++ /* This is exactly the wanted boundary. There ++ can't be a better one. */ ++ break; ++ } ++ } + + boundaries = boundaries->next; + } +@@ -263,15 +269,27 @@ boundary_line_find(struct message_parser_ctx *ctx, + /* need to find the end of line */ + data += 2; + size -= 2; +- if (memchr(data, '\n', size) == NULL && ++ const unsigned char *lf_pos = memchr(data, '\n', size); ++ if (lf_pos == NULL && + size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } +- +- *boundary_r = boundary_find(ctx->boundaries, data, size); ++ size_t find_size = size; ++ ++ if (lf_pos != NULL) { ++ find_size = lf_pos - data; ++ if (find_size > 0 && data[find_size-1] == '\r') ++ find_size--; ++ if (find_size > 2 && data[find_size-1] == '-' && ++ data[find_size-2] == '-') ++ find_size -= 2; ++ } else if (find_size > BOUNDARY_END_MAX_LEN) ++ find_size = BOUNDARY_END_MAX_LEN; ++ ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size); + if (*boundary_r == NULL) + return -1; + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch new file mode 100644 index 0000000000..4af070a879 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch @@ -0,0 +1,50 @@ +From 929396767d831bedbdec6392aaa835b045332fd3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 14:53:27 +0300 +Subject: [PATCH 08/13] lib-mail: message-parser - Add boundary_remove_until() + helper function + +--- + src/lib-mail/message-parser.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index c2934c761..028f74159 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -223,6 +223,13 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void ++boundary_remove_until(struct message_parser_ctx *ctx, ++ struct message_boundary *boundary) ++{ ++ ctx->boundaries = boundary; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -364,10 +371,10 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +- ctx->boundaries = boundary->next; ++ boundary_remove_until(ctx, boundary->next); + } else { + /* forget about the boundaries we possibly skipped */ +- ctx->boundaries = boundary; ++ boundary_remove_until(ctx, boundary); + } + + /* the boundary itself should already be in buffer. add that. */ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch new file mode 100644 index 0000000000..aade7dc2b3 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch @@ -0,0 +1,169 @@ +From d53d83214b1d635446a8cf8ff9438cc530133d62 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 15:00:57 +0300 +Subject: [PATCH 09/13] lib-mail: message-parser - Don't use memory pool for + parser + +This reduces memory usage when parsing many MIME parts where boundaries are +being added and removed constantly. +--- + src/lib-mail/message-parser.c | 48 ++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 028f74159..8970d8e0e 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -17,14 +17,14 @@ struct message_boundary { + struct message_boundary *next; + + struct message_part *part; +- const char *boundary; ++ char *boundary; + size_t len; + + unsigned int epilogue_found:1; + }; + + struct message_parser_ctx { +- pool_t parser_pool, part_pool; ++ pool_t part_pool; + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; +@@ -32,7 +32,7 @@ struct message_parser_ctx { + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + +- const char *last_boundary; ++ char *last_boundary; + struct message_boundary *boundaries; + + struct message_part **next_part; +@@ -223,10 +223,24 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void message_boundary_free(struct message_boundary *b) ++{ ++ i_free(b->boundary); ++ i_free(b); ++} ++ + static void + boundary_remove_until(struct message_parser_ctx *ctx, + struct message_boundary *boundary) + { ++ while (ctx->boundaries != boundary) { ++ struct message_boundary *cur = ctx->boundaries; ++ ++ i_assert(cur != NULL); ++ ctx->boundaries = cur->next; ++ message_boundary_free(cur); ++ ++ } + ctx->boundaries = boundary; + } + +@@ -234,15 +248,14 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; + +- b = p_new(ctx->parser_pool, struct message_boundary, 1); ++ b = i_new(struct message_boundary, 1); + b->part = ctx->part; + b->boundary = ctx->last_boundary; ++ ctx->last_boundary = NULL; + b->len = strlen(b->boundary); + + b->next = ctx->boundaries; + ctx->boundaries = b; +- +- ctx->last_boundary = NULL; + } + + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, +@@ -359,6 +372,8 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_block *block_r, bool first_line) + { + size_t line_size; ++ size_t boundary_len = boundary->len; ++ bool boundary_epilogue_found = boundary->epilogue_found; + + i_assert(ctx->last_boundary == NULL); + +@@ -391,7 +406,7 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + i_assert(block_r->data[0] == '\n'); + line_size = 1; + } +- line_size += 2 + boundary->len + (boundary->epilogue_found ? 2 : 0); ++ line_size += 2 + boundary_len + (boundary_epilogue_found ? 2 : 0); + i_assert(block_r->size >= ctx->skip + line_size); + block_r->size = line_size; + parse_body_add_block(ctx, block_r); +@@ -553,9 +568,9 @@ static void parse_content_type(struct message_parser_ctx *ctx, + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { + /* truncate excessively long boundaries */ ++ i_free(ctx->last_boundary); + ctx->last_boundary = +- p_strndup(ctx->parser_pool, results[1], +- BOUNDARY_STRING_MAX_LEN); ++ i_strndup(results[1], BOUNDARY_STRING_MAX_LEN); + break; + } + } +@@ -678,7 +693,7 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(!ctx->multipart); + part->flags = 0; + } +- ctx->last_boundary = NULL; ++ i_free(ctx->last_boundary); + + if (!ctx->part_seen_content_type || + (part->flags & MESSAGE_PART_FLAG_IS_MIME) == 0) { +@@ -1081,11 +1096,8 @@ message_parser_init_int(struct istream *input, + enum message_parser_flags flags) + { + struct message_parser_ctx *ctx; +- pool_t pool; + +- pool = pool_alloconly_create("Message Parser", 1024); +- ctx = p_new(pool, struct message_parser_ctx, 1); +- ctx->parser_pool = pool; ++ ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; + ctx->input = input; +@@ -1105,7 +1117,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; +- p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); ++ i_array_init(&ctx->next_part_stack, 4); + return ctx; + } + +@@ -1146,8 +1158,12 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); ++ boundary_remove_until(ctx, NULL); + i_stream_unref(&ctx->input); +- pool_unref(&ctx->parser_pool); ++ if (array_is_created(&ctx->next_part_stack)) ++ array_free(&ctx->next_part_stack); ++ i_free(ctx->last_boundary); ++ i_free(ctx); + i_assert(ret < 0 || *parts_r != NULL); + return ret; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..ae52544665 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,188 @@ +From df9e0d358ef86e3342525dcdefcf79dc2d749a30 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 16:59:40 +0300 +Subject: [PATCH 10/13] lib-mail: message-parser - Support limiting max number + of nested MIME parts + +The default is to allow 100 nested MIME parts. When the limit is reached, +the innermost MIME part's body contains all the rest of the inner bodies +until a parent MIME part is reached. +--- + src/lib-mail/message-parser.c | 43 +++++++++++++++++++++++++++++++------- + src/lib-mail/test-message-parser.c | 31 +++++++++++++++++++++++++++ + 2 files changed, 67 insertions(+), 7 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 8970d8e0e..721615f76 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -13,6 +13,8 @@ + #define BOUNDARY_STRING_MAX_LEN (70 + 10) + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + ++#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++ + struct message_boundary { + struct message_boundary *next; + +@@ -28,9 +30,11 @@ struct message_parser_ctx { + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; ++ unsigned int nested_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; ++ unsigned int max_nested_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -206,6 +210,8 @@ message_part_append(struct message_parser_ctx *ctx) + ctx->next_part = &part->children; + + ctx->part = part; ++ ctx->nested_parts_count++; ++ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -213,8 +219,12 @@ static void message_part_finish(struct message_parser_ctx *ctx) + struct message_part **const *parent_next_partp; + unsigned int count = array_count(&ctx->next_part_stack); + ++ i_assert(ctx->nested_parts_count > 0); ++ ctx->nested_parts_count--; ++ + parent_next_partp = array_idx(&ctx->next_part_stack, count-1); + array_delete(&ctx->next_part_stack, count-1, 1); ++ + ctx->next_part = *parent_next_partp; + + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); +@@ -592,6 +602,11 @@ static bool block_is_at_eoh(const struct message_block *block) + return FALSE; + } + ++static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) ++{ ++ return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++} ++ + #define MUTEX_FLAGS \ + (MESSAGE_PART_FLAG_MESSAGE_RFC822 | MESSAGE_PART_FLAG_MULTIPART) + +@@ -616,8 +631,12 @@ static int parse_next_header(struct message_parser_ctx *ctx, + "\n--boundary" belongs to us or to a previous boundary. + this is a problem if the boundary prefixes are identical, + because MIME requires only the prefix to match. */ +- parse_next_body_multipart_init(ctx); +- ctx->multipart = TRUE; ++ if (!parse_too_many_nested_mime_parts(ctx)) { ++ parse_next_body_multipart_init(ctx); ++ ctx->multipart = TRUE; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MULTIPART; ++ } + } + + /* before parsing the header see if we can find a --boundary from here. +@@ -721,12 +740,16 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(ctx->last_boundary == NULL); + ctx->multipart = FALSE; + ctx->parse_next_block = parse_next_body_to_boundary; +- } else if (part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) ++ } else if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0 && ++ !parse_too_many_nested_mime_parts(ctx)) { + ctx->parse_next_block = parse_next_body_message_rfc822_init; +- else if (ctx->boundaries != NULL) +- ctx->parse_next_block = parse_next_body_to_boundary; +- else +- ctx->parse_next_block = parse_next_body_to_eof; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MESSAGE_RFC822; ++ if (ctx->boundaries != NULL) ++ ctx->parse_next_block = parse_next_body_to_boundary; ++ else ++ ctx->parse_next_block = parse_next_body_to_eof; ++ } + + ctx->want_count = 1; + +@@ -1100,6 +1123,8 @@ message_parser_init_int(struct istream *input, + ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; ++ ctx->max_nested_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1159,6 +1184,10 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); + boundary_remove_until(ctx, NULL); ++ /* caller might have stopped the parsing early */ ++ i_assert(ctx->nested_parts_count == 0 || ++ i_stream_have_bytes_left(ctx->input)); ++ + i_stream_unref(&ctx->input); + if (array_is_created(&ctx->next_part_stack)) + array_free(&ctx->next_part_stack); +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 94aa3eb7c..481d05942 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -166,6 +166,36 @@ static void test_message_parser_small_blocks(void) + test_end(); + } + ++static void test_message_parser_stop_early(void) ++{ ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ unsigned int i; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser stop early"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(test_msg); ++ ++ test_istream_set_allow_eof(input, FALSE); ++ for (i = 1; i <= TEST_MSG_LEN+1; i++) { ++ i_stream_seek(input, 0); ++ test_istream_set_size(input, i); ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, ++ &block)) > 0) ; ++ test_assert(ret == 0); ++ message_parser_deinit(&parser, &parts); ++ } ++ ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_truncated_mime_headers(void) + { + static const char input_msg[] = +@@ -740,6 +770,7 @@ int main(void) + { + static void (*test_functions[])(void) = { + test_message_parser_small_blocks, ++ test_message_parser_stop_early, + test_message_parser_truncated_mime_headers, + test_message_parser_truncated_mime_headers2, + test_message_parser_truncated_mime_headers3, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..52848bf3a7 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,87 @@ +From d7bba401dd234802bcdb55ff27dfb99bffdab804 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 17:09:33 +0300 +Subject: [PATCH 11/13] lib-mail: message-parser - Support limiting max number + of MIME parts + +The default is to allow 10000 MIME parts. When it's reached, no more +MIME boundary lines will be recognized, so the rest of the mail belongs +to the last added MIME part. +--- + src/lib-mail/message-parser.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 721615f76..646307802 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -14,6 +14,7 @@ + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000 + + struct message_boundary { + struct message_boundary *next; +@@ -31,10 +32,12 @@ struct message_parser_ctx { + struct message_part *parts, *part; + const char *broken_reason; + unsigned int nested_parts_count; ++ unsigned int total_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + unsigned int max_nested_mime_parts; ++ unsigned int max_total_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -211,7 +214,9 @@ message_part_append(struct message_parser_ctx *ctx) + + ctx->part = part; + ctx->nested_parts_count++; ++ ctx->total_parts_count++; + i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); ++ i_assert(ctx->total_parts_count <= ctx->max_total_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -296,6 +301,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + return -1; + } + ++ if (ctx->total_parts_count >= ctx->max_total_mime_parts) { ++ /* can't add any more MIME parts. just stop trying to find ++ more boundaries. */ ++ return -1; ++ } ++ + /* need to find the end of line */ + data += 2; + size -= 2; +@@ -1125,6 +1136,8 @@ message_parser_init_int(struct istream *input, + ctx->flags = flags; + ctx->max_nested_mime_parts = + MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; ++ ctx->max_total_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1142,6 +1155,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ ctx->total_parts_count = 1; + i_array_init(&ctx->next_part_stack, 4); + return ctx; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch new file mode 100644 index 0000000000..a81177d2ba --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch @@ -0,0 +1,133 @@ +From 0c9d56b41b992a868f299e05677a67c4d0495523 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 2 Jul 2020 17:31:19 +0300 +Subject: [PATCH 12/13] lib-mail: Fix handling trailing "--" in MIME boundaries + +Broken by 5b8ec27fae941d06516c30476dcf4820c6d200ab +--- + src/lib-mail/message-parser.c | 14 ++++++++---- + src/lib-mail/test-message-parser.c | 46 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 646307802..175d4b488 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -75,7 +75,7 @@ static int preparsed_parse_next_header_init(struct message_parser_ctx *ctx, + + static struct message_boundary * + boundary_find(struct message_boundary *boundaries, +- const unsigned char *data, size_t len) ++ const unsigned char *data, size_t len, bool trailing_dashes) + { + struct message_boundary *best = NULL; + +@@ -89,7 +89,11 @@ boundary_find(struct message_boundary *boundaries, + memcmp(boundaries->boundary, data, boundaries->len) == 0 && + (best == NULL || best->len < boundaries->len)) { + best = boundaries; +- if (best->len == len) { ++ /* If we see "foo--", it could either mean that there ++ is a boundary named "foo" that ends now or there's ++ a boundary "foo--" which continues. */ ++ if (best->len == len || ++ (best->len == len-2 && trailing_dashes)) { + /* This is exactly the wanted boundary. There + can't be a better one. */ + break; +@@ -319,6 +323,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + return 0; + } + size_t find_size = size; ++ bool trailing_dashes = FALSE; + + if (lf_pos != NULL) { + find_size = lf_pos - data; +@@ -326,11 +331,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + find_size--; + if (find_size > 2 && data[find_size-1] == '-' && + data[find_size-2] == '-') +- find_size -= 2; ++ trailing_dashes = TRUE; + } else if (find_size > BOUNDARY_END_MAX_LEN) + find_size = BOUNDARY_END_MAX_LEN; + +- *boundary_r = boundary_find(ctx->boundaries, data, find_size); ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size, ++ trailing_dashes); + if (*boundary_r == NULL) + return -1; + +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 481d05942..113454ea0 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -510,6 +510,51 @@ static const char input_msg[] = + test_end(); + } + ++static void test_message_parser_trailing_dashes(void) ++{ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"a--\"\n" ++"\n" ++"--a--\n" ++"Content-Type: multipart/mixed; boundary=\"a----\"\n" ++"\n" ++"--a----\n" ++"Content-Type: text/plain\n" ++"\n" ++"body\n" ++"--a------\n" ++"Content-Type: text/html\n" ++"\n" ++"body2\n" ++"--a----"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser trailing dashes"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ test_assert(parts->children_count == 2); ++ test_assert(parts->children->next == NULL); ++ test_assert(parts->children->children_count == 1); ++ test_assert(parts->children->children->next == NULL); ++ test_assert(parts->children->children->children_count == 0); ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_continuing_mime_boundary(void) + { + static const char input_msg[] = +@@ -777,6 +822,7 @@ int main(void) + test_message_parser_empty_multipart, + test_message_parser_duplicate_mime_boundary, + test_message_parser_garbage_suffix_mime_boundary, ++ test_message_parser_trailing_dashes, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, + test_message_parser_long_mime_boundary, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch new file mode 100644 index 0000000000..97068345fb --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch @@ -0,0 +1,32 @@ +From f77a2b6c3ffe2ea96f4a4b05ec38dc9d53266ecb Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Wed, 27 May 2020 11:35:55 +0300 +Subject: [PATCH 13/13] lib-mail: Fix parse_too_many_nested_mime_parts() + +This was originally correct, until it was "optimized" wrong and got merged. +--- + src/lib-mail/message-parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 175d4b488..5b11772ff 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -621,7 +621,7 @@ static bool block_is_at_eoh(const struct message_block *block) + + static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) + { +- return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++ return ctx->nested_parts_count+1 >= ctx->max_nested_mime_parts; + } + + #define MUTEX_FLAGS \ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch new file mode 100644 index 0000000000..44f6564f89 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch @@ -0,0 +1,27 @@ +From 1a6ff0beebf0ab0c71081eaff1d5d7fd26015a94 Mon Sep 17 00:00:00 2001 +From: Josef 'Jeff' Sipek <jeff.sipek@dovecot.fi> +Date: Tue, 19 Sep 2017 13:26:57 +0300 +Subject: [PATCH] lib: buffer_free(NULL) should be a no-op + +--- + src/lib/buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib/buffer.c ++++ b/src/lib/buffer.c +@@ -148,6 +148,9 @@ void buffer_free(buffer_t **_buf) + { + struct real_buffer *buf = (struct real_buffer *)*_buf; + ++ if (buf == NULL) ++ return; ++ + *_buf = NULL; + if (buf->alloced) + p_free(buf->pool, buf->w_buffer); diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb index 0f7fad2b24..29905196b6 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb @@ -10,6 +10,22 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \ file://dovecot.service \ file://dovecot.socket \ file://0001-doveadm-Fix-parallel-build.patch \ + file://0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch \ + file://0002-lib-mail-message-parser-Change-message_part_append-t.patch \ + file://0003-lib-mail-message-parser-Optimize-updating-children_c.patch \ + file://0004-lib-mail-message-parser-Optimize-appending-new-part-.patch \ + file://0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch \ + file://0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch \ + file://0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch \ + file://0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch \ + file://0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch \ + file://0010-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0011-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch \ + file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \ + file://buffer_free_fix.patch \ + file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \ + file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \ " SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2" @@ -67,3 +83,6 @@ FILES_${PN} += "${libdir}/dovecot/*plugin.so \ FILES_${PN}-staticdev += "${libdir}/dovecot/*/*.a" FILES_${PN}-dev += "${libdir}/dovecot/libdovecot*.so" FILES_${PN}-dbg += "${libdir}/dovecot/*/.debug" + +# CVE-2016-4983 affects only postinstall script on specific distribution +CVE_CHECK_WHITELIST += "CVE-2016-4983" diff --git a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb index 5dabdd51d0..cad2fa7d71 100644 --- a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb +++ b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb @@ -8,13 +8,14 @@ SECTION = "admin" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=5574c6965ae5f583e55880e397fbb018" -SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils \ - git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers \ +SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils;branch=master;protocol=https \ + git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers;branch=master;protocol=https \ ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','file://0001-drbd-utils-support-usrmerge.patch','',d)} \ " # v9.12.0 SRCREV_drbd-utils = "91629a4cce49ca0d4f917fe0bffa25cfe8db3052" SRCREV_drbd-headers = "233006b4d26cf319638be0ef6d16ec7dee287b66" +SRCREV_FORMAT = "drbd-utils_drbd-headers" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb index ed5c3a9799..8301c65bfa 100644 --- a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb +++ b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4f3ea6e9b28af88dc0321190a1f8250" S = "${WORKDIR}/git" SRCREV = "4cdfdc38eca237c19c22a8b90490446ce6d970fa" -SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https; \ +SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https;branch=master \ file://run-ptest \ " diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb index 4271c2e155..0efcbec1fc 100644 --- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb +++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb @@ -10,7 +10,7 @@ SECTION = "libdevel" GEOIP_DATABASE_VERSION = "20181205" -SRC_URI = "git://github.com/maxmind/geoip-api-c.git \ +SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \ http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \ http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \ http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \ diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb index 125b59e760..9c15490dcb 100644 --- a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb +++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb @@ -9,7 +9,7 @@ inherit manpages MAN_PKG = "${PN}" SRCREV = "42bfbb9beb924672ca86b86e9679ac3d6b87d992" -SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https" +SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb index ad0ec27001..59e540a710 100644 --- a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb +++ b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" SRCREV = "c3ee70c878b9c5833a77a1f339f1ca4dc6f225c5" SRC_URI = "\ - git://github.com/nmav/ipcalc.git;protocol=https; \ + git://github.com/nmav/ipcalc.git;protocol=https;branch=master \ file://0001-Makefile-pass-extra-linker-flags.patch \ " diff --git a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb index 3cabc4ff8d..7a229c7b1e 100644 --- a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb +++ b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb @@ -14,7 +14,7 @@ PV .= "+git${SRCPV}" LK_REL = "1.0.18" SRC_URI = " \ - git://github.com/sctp/lksctp-tools.git \ + git://github.com/sctp/lksctp-tools.git;branch=master;protocol=https \ file://0001-withsctp-use-PACKAGE_VERSION-in-withsctp.h.patch \ file://0001-configure.ac-add-CURRENT-REVISION-and-AGE-for-libsct.patch \ file://0001-build-fix-netinet-sctp.h-not-to-be-installed.patch \ diff --git a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb index 5917cfb3e1..e073561655 100644 --- a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb +++ b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "flex-native bison-native libnl python" PV = "0.3.1+git${SRCPV}" -SRC_URI = "git://github.com/linux-wpan/lowpan-tools \ +SRC_URI = "git://github.com/linux-wpan/lowpan-tools;branch=master;protocol=https \ file://no-help2man.patch \ file://0001-Fix-build-errors-with-clang.patch \ file://0001-addrdb-coord-config-parse.y-add-missing-time.h-inclu.patch \ diff --git a/meta-networking/recipes-support/mtr/mtr_0.93.bb b/meta-networking/recipes-support/mtr/mtr_0.93.bb index dd150700a9..4db7f7bbf8 100644 --- a/meta-networking/recipes-support/mtr/mtr_0.93.bb +++ b/meta-networking/recipes-support/mtr/mtr_0.93.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468" SRCREV = "304349bad86229aedbc62c07d5e98a8292967991" -SRC_URI = "git://github.com/traviscross/mtr" +SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb index a63e49ec55..0876c6f354 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb @@ -9,7 +9,7 @@ HOMEPAGE = "https://github.com/libguestfs/nbdkit" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=4332a97808994cf2133a65b6c6f33eaf" -SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \ +SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ file://0001-server-Fix-build-when-printf-is-a-macro.patch \ " diff --git a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb index 5f866052c6..d359b620b8 100644 --- a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb +++ b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" PV = "1.0.4+git${SRCPV}" SRCREV = "4c794b5512d23c649def1f94a684225dcbb6ac3e" -SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http \ +SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http;branch=master \ file://0001-replace-VLAIS-with-malloc-free-pair.patch \ file://0002-Do-not-undef-_GNU_SOURCE.patch \ file://0001-autogen-Do-not-symlink-gettext.h-from-build-host.patch \ diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb index 14d743f820..1e113de519 100644 --- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb +++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb @@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967 inherit autotools +CVE_PRODUCT = "netcat_project:netcat" + do_install_append() { install -d ${D}${bindir} mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN} diff --git a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb index a180571f2d..af617ce922 100644 --- a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb +++ b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb919cc88dbe06ec0b0bd50e001ccf1f" SRCREV = "2c5d4255857531bc09d91dcd02e86545f29004d4" PV .= "+git${SRCPV}" -SRC_URI = "git://pagure.io/netcf.git;protocol=https \ +SRC_URI = "git://pagure.io/netcf.git;protocol=https;branch=master \ " UPSTREAM_CHECK_GITTAGREGEX = "release-(?P<pver>(\d+(\.\d+)+))" diff --git a/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-networking/recipes-support/netperf/netperf_git.bb index d48f3aeabd..f6ea211f7a 100644 --- a/meta-networking/recipes-support/netperf/netperf_git.bb +++ b/meta-networking/recipes-support/netperf/netperf_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a0ab17253e7a3f318da85382c7d5d5d6" PV = "2.7.0+git${SRCPV}" -SRC_URI = "git://github.com/HewlettPackard/netperf.git \ +SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=https \ file://cpu_set.patch \ file://vfork.patch \ file://init \ diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch new file mode 100644 index 0000000000..ca181bb4b2 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch @@ -0,0 +1,31 @@ +From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Sun, 19 Apr 2020 09:12:24 -0700 +Subject: [PATCH] Earlier check for settings flood + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch] +Comment: No hunk refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + lib/nghttp2_session.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + break; + } + ++ /* Check the settings flood counter early to be safe */ ++ if (session->obq_flood_counter_ >= session->max_outbound_ack && ++ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) { ++ return NGHTTP2_ERR_FLOODED; ++ } ++ + iframe->state = NGHTTP2_IB_READ_SETTINGS; + + if (iframe->payloadleft) { diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch new file mode 100644 index 0000000000..d3c57e9a80 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch @@ -0,0 +1,308 @@ +From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Fri, 17 Apr 2020 16:53:51 -0700 +Subject: [PATCH] Implement max settings option + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090.patch] +Comment: No hunks refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + doc/CMakeLists.txt | 1 + + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++ + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_option.c | 5 +++ + lib/nghttp2_option.h | 5 +++ + lib/nghttp2_session.c | 21 ++++++++++++ + lib/nghttp2_session.h | 2 ++ + tests/main.c | 2 ++ + tests/nghttp2_session_test.c | 61 ++++++++++++++++++++++++++++++++++ + tests/nghttp2_session_test.h | 1 + + 11 files changed, 124 insertions(+) + +Index: nghttp2-1.40.0/doc/CMakeLists.txt +=================================================================== +--- nghttp2-1.40.0.orig/doc/CMakeLists.txt ++++ nghttp2-1.40.0/doc/CMakeLists.txt +@@ -42,6 +42,7 @@ set(APIDOCS + nghttp2_option_set_no_recv_client_magic.rst + nghttp2_option_set_peer_max_concurrent_streams.rst + nghttp2_option_set_user_recv_extension_type.rst ++ nghttp2_option_set_max_settings.rst + nghttp2_pack_settings_payload.rst + nghttp2_priority_spec_check_default.rst + nghttp2_priority_spec_default_init.rst +Index: nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/includes/nghttp2/nghttp2.h ++++ nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +@@ -229,6 +229,13 @@ typedef struct { + #define NGHTTP2_CLIENT_MAGIC_LEN 24 + + /** ++ * @macro ++ * ++ * The default max number of settings per SETTINGS frame ++ */ ++#define NGHTTP2_DEFAULT_MAX_SETTINGS 32 ++ ++/** + * @enum + * + * Error codes used in this library. The code range is [-999, -500], +@@ -399,6 +406,11 @@ typedef enum { + */ + NGHTTP2_ERR_SETTINGS_EXPECTED = -536, + /** ++ * When a local endpoint receives too many settings entries ++ * in a single SETTINGS frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537, ++ /** + * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is + * under unexpected condition and processing was terminated (e.g., + * out of memory). If application receives this error code, it must +@@ -2661,6 +2673,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_m + + /** + * @function ++ * ++ * This function sets the maximum number of SETTINGS entries per ++ * SETTINGS frame that will be accepted. If more than those entries ++ * are received, the peer is considered to be misbehaving and session ++ * will be closed. The default value is 32. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option, ++ size_t val); ++ ++/** ++ * @function + * + * Initializes |*session_ptr| for client use. The all members of + * |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr| +Index: nghttp2-1.40.0/lib/nghttp2_helper.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_helper.c ++++ nghttp2-1.40.0/lib/nghttp2_helper.c +@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_c + case NGHTTP2_ERR_FLOODED: + return "Flooding was detected in this HTTP/2 session, and it must be " + "closed"; ++ case NGHTTP2_ERR_TOO_MANY_SETTINGS: ++ return "SETTINGS frame contained more than the maximum allowed entries"; + default: + return "Unknown error code"; + } +Index: nghttp2-1.40.0/lib/nghttp2_option.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.c ++++ nghttp2-1.40.0/lib/nghttp2_option.c +@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack + option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK; + option->max_outbound_ack = val; + } ++ ++void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS; ++ option->max_settings = val; ++} +Index: nghttp2-1.40.0/lib/nghttp2_option.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.h ++++ nghttp2-1.40.0/lib/nghttp2_option.h +@@ -67,6 +67,7 @@ typedef enum { + NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9, + NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10, + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, ++ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, + } nghttp2_option_flag; + + /** +@@ -86,6 +87,10 @@ struct nghttp2_option { + */ + size_t max_outbound_ack; + /** ++ * NGHTTP2_OPT_MAX_SETTINGS ++ */ ++ size_t max_settings; ++ /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. + */ +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -458,6 +458,7 @@ static int session_new(nghttp2_session * + + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -521,6 +522,11 @@ static int session_new(nghttp2_session * + if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) { + (*session_ptr)->max_outbound_ack = option->max_outbound_ack; + } ++ ++ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) && ++ option->max_settings) { ++ (*session_ptr)->max_settings = option->max_settings; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -5694,6 +5700,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + iframe->max_niv = + iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1; + ++ if (iframe->max_niv - 1 > session->max_settings) { ++ rv = nghttp2_session_terminate_session_with_reason( ++ session, NGHTTP2_ENHANCE_YOUR_CALM, ++ "SETTINGS: too many setting entries"); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ return (ssize_t)inlen; ++ } ++ + iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) * + iframe->max_niv); + +@@ -7460,6 +7476,11 @@ static int nghttp2_session_upgrade_inter + if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) { + return NGHTTP2_ERR_INVALID_ARGUMENT; + } ++ /* SETTINGS frame contains too many settings */ ++ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH ++ > session->max_settings) { ++ return NGHTTP2_ERR_TOO_MANY_SETTINGS; ++ } + rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload, + settings_payloadlen, mem); + if (rv != 0) { +Index: nghttp2-1.40.0/lib/nghttp2_session.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.h ++++ nghttp2-1.40.0/lib/nghttp2_session.h +@@ -267,6 +267,8 @@ struct nghttp2_session { + /* The maximum length of header block to send. Calculated by the + same way as nghttp2_hd_deflate_bound() does. */ + size_t max_send_header_block_length; ++ /* The maximum number of settings accepted per SETTINGS frame. */ ++ size_t max_settings; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +Index: nghttp2-1.40.0/tests/main.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/main.c ++++ nghttp2-1.40.0/tests/main.c +@@ -315,6 +315,8 @@ int main() { + test_nghttp2_session_set_local_window_size) || + !CU_add_test(pSuite, "session_cancel_from_before_frame_send", + test_nghttp2_session_cancel_from_before_frame_send) || ++ !CU_add_test(pSuite, "session_too_many_settings", ++ test_nghttp2_session_too_many_settings) || + !CU_add_test(pSuite, "session_removed_closed_stream", + test_nghttp2_session_removed_closed_stream) || + !CU_add_test(pSuite, "session_pause_data", +Index: nghttp2-1.40.0/tests/nghttp2_session_test.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.c ++++ nghttp2-1.40.0/tests/nghttp2_session_test.c +@@ -10558,6 +10558,67 @@ void test_nghttp2_session_cancel_from_be + nghttp2_session_del(session); + } + ++void test_nghttp2_session_too_many_settings(void) { ++ nghttp2_session *session; ++ nghttp2_option *option; ++ nghttp2_session_callbacks callbacks; ++ nghttp2_frame frame; ++ nghttp2_bufs bufs; ++ nghttp2_buf *buf; ++ ssize_t rv; ++ my_user_data ud; ++ nghttp2_settings_entry iv[3]; ++ nghttp2_mem *mem; ++ nghttp2_outbound_item *item; ++ ++ mem = nghttp2_mem_default(); ++ frame_pack_bufs_init(&bufs); ++ ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks)); ++ callbacks.on_frame_recv_callback = on_frame_recv_callback; ++ callbacks.send_callback = null_send_callback; ++ ++ nghttp2_option_new(&option); ++ nghttp2_option_set_max_settings(option, 1); ++ ++ nghttp2_session_client_new2(&session, &callbacks, &ud, option); ++ ++ CU_ASSERT(1 == session->max_settings); ++ ++ nghttp2_option_del(option); ++ ++ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE; ++ iv[0].value = 3000; ++ ++ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE; ++ iv[1].value = 16384; ++ ++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2), ++ 2); ++ ++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings); ++ ++ CU_ASSERT(0 == rv); ++ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0); ++ ++ nghttp2_frame_settings_free(&frame.settings, mem); ++ ++ buf = &bufs.head->buf; ++ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf)); ++ ++ ud.frame_recv_cb_called = 0; ++ ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ item = nghttp2_session_get_next_ob_item(session); ++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type); ++ ++ nghttp2_bufs_reset(&bufs); ++ nghttp2_bufs_free(&bufs); ++ nghttp2_session_del(session); ++} ++ + static void + prepare_session_removed_closed_stream(nghttp2_session *session, + nghttp2_hd_deflater *deflater) { +Index: nghttp2-1.40.0/tests/nghttp2_session_test.h +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.h ++++ nghttp2-1.40.0/tests/nghttp2_session_test.h +@@ -156,6 +156,7 @@ void test_nghttp2_session_repeated_prior + void test_nghttp2_session_repeated_priority_submission(void); + void test_nghttp2_session_set_local_window_size(void); + void test_nghttp2_session_cancel_from_before_frame_send(void); ++void test_nghttp2_session_too_many_settings(void); + void test_nghttp2_session_removed_closed_stream(void); + void test_nghttp2_session_pause_data(void); + void test_nghttp2_session_no_closed_streams(void); +Index: nghttp2-1.40.0/doc/Makefile.am +=================================================================== +--- nghttp2-1.40.0.orig/doc/Makefile.am ++++ nghttp2-1.40.0/doc/Makefile.am +@@ -69,6 +69,7 @@ APIDOCS= \ + nghttp2_option_set_peer_max_concurrent_streams.rst \ + nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ ++ nghttp2_option_set_max_settings.rst \ + nghttp2_pack_settings_payload.rst \ + nghttp2_priority_spec_check_default.rst \ + nghttp2_priority_spec_default_init.rst \ diff --git a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb index 9ed8c56420..b497058ca6 100644 --- a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb +++ b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb @@ -10,6 +10,8 @@ UPSTREAM_CHECK_URI = "https://github.com/nghttp2/nghttp2/releases" SRC_URI = "\ https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \ file://0001-fetch-ocsp-response-use-python3.patch \ + file://CVE-2020-11080-1.patch \ + file://CVE-2020-11080-2.patch \ " SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c" SRC_URI[sha256sum] = "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073" diff --git a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb index bb401666c6..0c67f67d70 100644 --- a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb +++ b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb @@ -14,7 +14,7 @@ and ypdomainname. \ # v4.2.3 SRCREV = "1bfda29c342a81b97cb1995ffd9e8da5de63e7ab" -SRC_URI = "git://github.com/thkukuk/yp-tools \ +SRC_URI = "git://github.com/thkukuk/yp-tools;branch=master;protocol=https \ file://domainname.service \ " diff --git a/meta-networking/recipes-support/ntimed/ntimed_git.bb b/meta-networking/recipes-support/ntimed/ntimed_git.bb index a749b16593..43ed1abe38 100644 --- a/meta-networking/recipes-support/ntimed/ntimed_git.bb +++ b/meta-networking/recipes-support/ntimed/ntimed_git.bb @@ -8,7 +8,7 @@ SECTION = "net" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://main.c;beginline=2;endline=24;md5=89db8e76f2951f3fad167e7aa9718a44" -SRC_URI = "git://github.com/bsdphk/Ntimed \ +SRC_URI = "git://github.com/bsdphk/Ntimed;branch=master;protocol=https \ file://use-ldflags.patch" PV = "0.0+git${SRCPV}" diff --git a/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch new file mode 100644 index 0000000000..734c6f197b --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch @@ -0,0 +1,340 @@ +ntp: backport patch for 5 CVEs CVE-2023-26551/2/3/4/5 + +Upstream-Status: Backport [https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch] +CVE: CVE-2023-26551 +CVE: CVE-2023-26552 +CVE: CVE-2023-26553 +CVE: CVE-2023-26554 +CVE: CVE-2023-26555 + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/ntp_fp.h | 4 +- + libntp/mstolfp.c | 108 +++++++++++++++------------------------ + ntpd/refclock_palisade.c | 50 +++++++++++++++--- + tests/libntp/strtolfp.c | 33 +++++++----- + 4 files changed, 104 insertions(+), 91 deletions(-) + +diff --git a/include/ntp_fp.h b/include/ntp_fp.h +index afd1f82..fe6e390 100644 +--- a/include/ntp_fp.h ++++ b/include/ntp_fp.h +@@ -195,9 +195,9 @@ typedef u_int32 u_fp; + do { \ + int32 add_f = (int32)(f); \ + if (add_f >= 0) \ +- M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \ ++ M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \ + else \ +- M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \ ++ M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \ + } while(0) + + #define M_ISNEG(v_i) /* v < 0 */ \ +diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c +index 3dfc4ef..a906d76 100644 +--- a/libntp/mstolfp.c ++++ b/libntp/mstolfp.c +@@ -14,86 +14,58 @@ mstolfp( + l_fp *lfp + ) + { +- register const char *cp; +- register char *bp; +- register const char *cpdec; +- char buf[100]; ++ int ch, neg = 0; ++ u_int32 q, r; + + /* + * We understand numbers of the form: + * + * [spaces][-|+][digits][.][digits][spaces|\n|\0] + * +- * This is one enormous hack. Since I didn't feel like +- * rewriting the decoding routine for milliseconds, what +- * is essentially done here is to make a copy of the string +- * with the decimal moved over three places so the seconds +- * decoding routine can be used. ++ * This is kinda hack. We use 'atolfp' to do the basic parsing ++ * (after some initial checks) and then divide the result by ++ * 1000. The original implementation avoided that by ++ * hacking up the input string to move the decimal point, but ++ * that needed string manipulations prone to buffer overruns. ++ * To avoid that trouble we do the conversion first and adjust ++ * the result. + */ +- bp = buf; +- cp = str; +- while (isspace((unsigned char)*cp)) +- cp++; + +- if (*cp == '-' || *cp == '+') { +- *bp++ = *cp++; +- } +- +- if (*cp != '.' && !isdigit((unsigned char)*cp)) +- return 0; +- ++ while (isspace(ch = *(const unsigned char*)str)) ++ ++str; + +- /* +- * Search forward for the decimal point or the end of the string. +- */ +- cpdec = cp; +- while (isdigit((unsigned char)*cpdec)) +- cpdec++; +- +- /* +- * Found something. If we have more than three digits copy the +- * excess over, else insert a leading 0. +- */ +- if ((cpdec - cp) > 3) { +- do { +- *bp++ = (char)*cp++; +- } while ((cpdec - cp) > 3); +- } else { +- *bp++ = '0'; ++ switch (ch) { ++ case '-': neg = TRUE; ++ case '+': ++str; ++ default : break; + } + +- /* +- * Stick the decimal in. If we've got less than three digits in +- * front of the millisecond decimal we insert the appropriate number +- * of zeros. +- */ +- *bp++ = '.'; +- if ((cpdec - cp) < 3) { +- size_t i = 3 - (cpdec - cp); +- do { +- *bp++ = '0'; +- } while (--i > 0); +- } ++ if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.')) ++ return 0; ++ if (!atolfp(str, lfp)) ++ return 0; + +- /* +- * Copy the remainder up to the millisecond decimal. If cpdec +- * is pointing at a decimal point, copy in the trailing number too. ++ /* now do a chained/overlapping division by 1000 to get from ++ * seconds to msec. 1000 is small enough to go with temporary ++ * 32bit accus for Q and R. + */ +- while (cp < cpdec) +- *bp++ = (char)*cp++; +- +- if (*cp == '.') { +- cp++; +- while (isdigit((unsigned char)*cp)) +- *bp++ = (char)*cp++; +- } +- *bp = '\0'; ++ q = lfp->l_ui / 1000u; ++ r = lfp->l_ui - (q * 1000u); ++ lfp->l_ui = q; + +- /* +- * Check to make sure the string is properly terminated. If +- * so, give the buffer to the decoding routine. +- */ +- if (*cp != '\0' && !isspace((unsigned char)*cp)) +- return 0; +- return atolfp(buf, lfp); ++ r = (r << 16) | (lfp->l_uf >> 16); ++ q = r / 1000u; ++ r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu); ++ lfp->l_uf = q << 16; ++ q = r / 1000; ++ lfp->l_uf |= q; ++ r -= q * 1000u; ++ ++ /* fix sign */ ++ if (neg) ++ L_NEG(lfp); ++ /* round */ ++ if (r >= 500) ++ L_ADDF(lfp, (neg ? -1 : 1)); ++ return 1; + } +diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c +index cb68255..15c21d8 100644 +--- a/ntpd/refclock_palisade.c ++++ b/ntpd/refclock_palisade.c +@@ -1225,9 +1225,9 @@ palisade_poll ( + return; /* using synchronous packet input */ + + if(up->type == CLK_PRAECIS) { +- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) ++ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) { + msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit); +- else { ++ } else { + praecis_msg = 1; + return; + } +@@ -1249,20 +1249,53 @@ praecis_parse ( + + pp = peer->procptr; + +- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length); ++ if (p + rbufp->recv_length >= sizeof buf) { ++ struct palisade_unit *up; ++ up = pp->unitptr; ++ ++ /* ++ * We COULD see if there is a \r\n in the incoming ++ * buffer before it overflows, and then process the ++ * current line. ++ * ++ * Similarly, if we already have a hunk of data that ++ * we're now flushing, that will cause the line of ++ * data we're in the process of collecting to be garbage. ++ * ++ * Since we now check for this overflow and log when it ++ * happens, we're now in a better place to easily see ++ * what's going on and perhaps better choices can be made. ++ */ ++ ++ /* Do we need to log the size of the overflow? */ ++ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow", ++ up->unit); ++ ++ p = 0; ++ praecis_msg = 0; ++ ++ refclock_report(peer, CEVNT_BADREPLY); ++ ++ return; ++ } ++ ++ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length); + p += rbufp->recv_length; + +- if(buf[p-2] == '\r' && buf[p-1] == '\n') { ++ if ( p >= 2 ++ && buf[p-2] == '\r' ++ && buf[p-1] == '\n') { + buf[p-2] = '\0'; + record_clock_stats(&peer->srcadr, buf); + + p = 0; + praecis_msg = 0; + +- if (HW_poll(pp) < 0) ++ if (HW_poll(pp) < 0) { + refclock_report(peer, CEVNT_FAULT); +- ++ } + } ++ return; + } + + static void +@@ -1407,7 +1440,10 @@ HW_poll ( + + /* Edge trigger */ + if (up->type == CLK_ACUTIME) +- write (pp->io.fd, "", 1); ++ if (write (pp->io.fd, "", 1) != 1) ++ msyslog(LOG_WARNING, ++ "Palisade(%d) HW_poll: failed to send trigger: %m", ++ up->unit); + + if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { + #ifdef DEBUG +diff --git a/tests/libntp/strtolfp.c b/tests/libntp/strtolfp.c +index 6855d9b..9090159 100644 +--- a/tests/libntp/strtolfp.c ++++ b/tests/libntp/strtolfp.c +@@ -26,6 +26,13 @@ setUp(void) + return; + } + ++static const char* fmtLFP(const l_fp *e, const l_fp *a) ++{ ++ static char buf[100]; ++ snprintf(buf, sizeof(buf), "e=$%08x.%08x, a=$%08x.%08x", ++ e->l_ui, e->l_uf, a->l_ui, a->l_uf); ++ return buf; ++} + + void test_PositiveInteger(void) { + const char *str = "500"; +@@ -37,8 +44,8 @@ void test_PositiveInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeInteger(void) { +@@ -54,8 +61,8 @@ void test_NegativeInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveFraction(void) { +@@ -68,8 +75,8 @@ void test_PositiveFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeFraction(void) { +@@ -85,8 +92,8 @@ void test_NegativeFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveMsFraction(void) { +@@ -100,9 +107,8 @@ void test_PositiveMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeMsFraction(void) { +@@ -118,9 +124,8 @@ void test_NegativeMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_InvalidChars(void) { +-- +2.25.1 + diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-networking/recipes-support/ntp/ntp/ntpdate index 17b64d1335..be3bacfcd1 100755 --- a/meta-networking/recipes-support/ntp/ntp/ntpdate +++ b/meta-networking/recipes-support/ntp/ntp/ntpdate @@ -52,3 +52,8 @@ if [ -x /usr/bin/lockfile-create ] ; then fi ) & + +# wait for all subprocesses to finish +# this is required when using systemd service as ntpd will start before ntpdate finishes +# and results in a bind error (port 123) +wait diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index 7e168825e0..1a223db6fa 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -22,8 +22,8 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g file://sntp.service \ file://sntp \ file://ntpd.list \ + file://CVE-2023-2655x.patch \ " - SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" inherit autotools update-rc.d useradd systemd pkgconfig @@ -61,6 +61,14 @@ PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging" PACKAGECONFIG[mdns] = "ac_cv_header_dns_sd_h=yes,ac_cv_header_dns_sd_h=no,mdns" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +do_configure_append() { + # tests are generated but also checked-in to source control + # when CVE-2023-2655x.patch changes timestamp of test source file, Makefile detects it and tries to regenerate it + # however it fails because of missing ruby interpretter; adding ruby-native as dependency fixes it + # since the regenerated file is identical to the one from source control, touch the generated file instead of adding heavy dependency + touch ${S}/tests/libntp/run-strtolfp.c +} + do_install_append() { install -d ${D}${sysconfdir}/init.d install -m 644 ${WORKDIR}/ntp.conf ${D}${sysconfdir} diff --git a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb index a03b92f5fe..1bf7c48e09 100644 --- a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb +++ b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb @@ -13,7 +13,7 @@ SECTION = "net" DEPENDS = "openssl" -SRC_URI = "git://github.com/open-iscsi/open-isns" +SRC_URI = "git://github.com/open-iscsi/open-isns;branch=master;protocol=https" SRCREV = "cfdbcff867ee580a71bc9c18c3a38a6057df0150" diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb index 529e3912bb..55e66036b7 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb @@ -14,8 +14,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -SRC_URI[md5sum] = "52863fa9b98e5a3d7f8bec1d5785a2ba" -SRC_URI[sha256sum] = "46b268ef88e67ca6de2e9f19943eb9e5ac8544e55f5c1f3af677298d03e64b6e" +SRC_URI[md5sum] = "e83d430947fb7c9ad1a174987317d1dc" +SRC_URI[sha256sum] = "66952d9c95490e5875f04c9f8fa313b5e816d1b7b4d6cda3fb2ff749ad405dee" + +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569" SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-networking/recipes-support/phytool/phytool.bb b/meta-networking/recipes-support/phytool/phytool.bb index 29499d6d7a..7fde88c447 100644 --- a/meta-networking/recipes-support/phytool/phytool.bb +++ b/meta-networking/recipes-support/phytool/phytool.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" PV = "2+git${SRCPV}" SRCREV = "8882328c08ba2efb13c049812098f1d0cb8adf0c" -SRC_URI = "git://github.com/wkz/phytool.git" +SRC_URI = "git://github.com/wkz/phytool.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb index 15fd7ff663..5cb4e67c28 100644 --- a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb +++ b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb @@ -6,7 +6,7 @@ DEPENDS = "libnl" RDEPENDS_${PN} = "bash perl" BRANCH = "stable-v${@d.getVar('PV').split('.')[0]}" -SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH} \ +SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH};protocol=https \ file://0001-Remove-man-files-which-cant-be-built.patch \ " SRCREV = "f12c953f0864691eacc9fcc4cda489b92ffd5a85" diff --git a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb index 0b63f79aca..d8a1f6140f 100644 --- a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb +++ b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRCREV = "a8e5847e5f7e411be424f9b52a6cdf9d2ed4aeb5" -SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=git" +SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice-protocol_git.bb b/meta-networking/recipes-support/spice/spice-protocol_git.bb index 1d56bea17c..ca683bf220 100644 --- a/meta-networking/recipes-support/spice/spice-protocol_git.bb +++ b/meta-networking/recipes-support/spice/spice-protocol_git.bb @@ -18,7 +18,7 @@ PV = "0.14.1+git${SRCPV}" SRCREV = "e0ec178a72aa33e307ee5ac02b63bf336da921a5" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice-protocol \ + git://anongit.freedesktop.org/spice/spice-protocol;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb index 9d3a0e6cb5..3d47f5a54a 100644 --- a/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-networking/recipes-support/spice/spice_git.bb @@ -21,8 +21,8 @@ SRCREV_spice-common = "4fc4c2db36c7f07b906e9a326a9d3dc0ae6a2671" SRCREV_FORMAT = "spice_spice-common" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice;name=spice \ - git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common \ + git://anongit.freedesktop.org/spice/spice;name=spice;branch=master \ + git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common;branch=master \ file://0001-Convert-pthread_t-to-be-numeric.patch \ file://0001-Fix-compile-errors-on-Linux-32bit-system.patch \ " diff --git a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb index 9ee43be1ea..f07fb3b50c 100644 --- a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb +++ b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb @@ -10,7 +10,7 @@ DEPENDS = "libusb1" SRCREV = "07b98b8e71f620dfdd57e92ddef6b677b259a092" SRC_URI = " \ - git://anongit.freedesktop.org/spice/usbredir \ + git://anongit.freedesktop.org/spice/usbredir;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch new file mode 100644 index 0000000000..b7118ba1fb --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch @@ -0,0 +1,62 @@ +From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 17:52:08 +0200 +Subject: [PATCH] Reject RSASSA-PSS params with negative salt length + +The `salt_len` member in the struct is of type `ssize_t` because we use +negative values for special automatic salt lengths when generating +signatures. + +Not checking this could lead to an integer overflow. The value is assigned +to the `len` field of a chunk (`size_t`), which is further used in +calculations to check the padding structure and (if that is passed by a +matching crafted signature value) eventually a memcpy() that will result +in a segmentation fault. + +Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") +Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") +Fixes: CVE-2021-41990 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41990] +CVE: CVE-2021-41990 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/keys/signature_params.c | 6 +++++- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c +index d89bd2c96bb5..837de8443d43 100644 +--- a/src/libstrongswan/credentials/keys/signature_params.c ++++ b/src/libstrongswan/credentials/keys/signature_params.c +@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) + case RSASSA_PSS_PARAMS_SALT_LEN: + if (object.len) + { +- params->salt_len = (size_t)asn1_parse_integer_uint64(object); ++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object); ++ if (params->salt_len < 0) ++ { ++ goto end; ++ } + } + break; + case RSASSA_PSS_PARAMS_TRAILER: +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index f9bd1d314dec..3a775090883e 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, + int i; + bool success = FALSE; + +- if (!params) ++ if (!params || params->salt_len < 0) + { + return FALSE; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch new file mode 100644 index 0000000000..2d898fa5cf --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch @@ -0,0 +1,41 @@ +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 19:38:22 +0200 +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change + +random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually +equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added +directly to that offset before applying`% CACHE_SIZE` to get an index into +the cache array. If the random value was very high, this resulted in an +integer overflow and a negative index value and, therefore, an out-of-bounds +access of the array and in turn dereferencing invalid pointers when trying +to acquire the read lock. This most likely results in a segmentation fault. + +Fixes: 764e8b2211ce ("reimplemented certificate cache") +Fixes: CVE-2021-41991 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991] +CVE: CVE-2021-41991 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/sets/cert_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c +index f1579c60a9bc..ceebb3843725 100644 +--- a/src/libstrongswan/credentials/sets/cert_cache.c ++++ b/src/libstrongswan/credentials/sets/cert_cache.c +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this, + for (try = 0; try < REPLACE_TRIES; try++) + { + /* replace a random relation */ +- offset = random(); ++ offset = random() % CACHE_SIZE; + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[(i + offset) % CACHE_SIZE]; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch new file mode 100644 index 0000000000..97aa6a0efc --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch @@ -0,0 +1,156 @@ +From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Dec 2021 10:51:35 +0100 +Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails + +Without this, the authentication succeeded if the server sent an early +EAP-Success message for mutual, key-generating EAP methods like EAP-TLS, +which may be used in EAP-only scenarios but would complete without server +or client authentication. For clients configured for such EAP-only +scenarios, a rogue server could capture traffic after the tunnel is +established or even access hosts behind the client. For non-mutual EAP +methods, public key server authentication has been enforced for a while. + +A server previously could also crash a client by sending an EAP-Success +immediately without initiating an actual EAP method. + +Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") +Fixes: CVE-2021-45079 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch] +CVE: CVE-2021-45079 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- + src/libcharon/plugins/eap_md5/eap_md5.c | 2 +- + src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++- + src/libcharon/sa/eap/eap_method.h | 8 ++++- + .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++--- + 5 files changed, 40 insertions(+), 8 deletions(-) + +diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c +index 95ba090b79ce..cffb6222c2f8 100644 +--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c ++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c +@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_gtc_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c +index ab5f7ff6a823..3a92ad7c0a04 100644 +--- a/src/libcharon/plugins/eap_md5/eap_md5.c ++++ b/src/libcharon/plugins/eap_md5/eap_md5.c +@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, is_mutual, bool, +diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c +index 2dc7a423e702..5336dead13d9 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius.c +@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t, + *out = msk; + return SUCCESS; + } +- return FAILED; ++ /* we assume the selected method did not establish an MSK, if it failed ++ * to establish one, process() would have failed */ ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h +index 0b5218dfec15..33564831f86e 100644 +--- a/src/libcharon/sa/eap/eap_method.h ++++ b/src/libcharon/sa/eap/eap_method.h +@@ -114,10 +114,16 @@ struct eap_method_t { + * Not all EAP methods establish a shared secret. For implementations of + * the EAP-Identity method, get_msk() returns the received identity. + * ++ * @note Returning NOT_SUPPORTED is important for implementations of EAP ++ * methods that don't establish an MSK. In particular as client because ++ * key-generating EAP methods MUST fail to process EAP-Success messages if ++ * no MSK is established. ++ * + * @param msk chunk receiving internal stored MSK + * @return +- * - SUCCESS, or ++ * - SUCCESS, if MSK is established + * - FAILED, if MSK not established (yet) ++ * - NOT_SUPPORTED, for non-MSK-establishing methods + */ + status_t (*get_msk) (eap_method_t *this, chunk_t *msk); + +diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +index e1e6cd7ee6f3..87548fc471a6 100644 +--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c ++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + this->method->destroy(this->method); + return server_initiate_eap(this, FALSE); + } +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ switch (this->method->get_msk(this->method, &this->msk)) + { +- this->msk = chunk_clone(this->msk); ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "failed to establish MSK"); ++ goto failure; + } + if (vendor) + { +@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); + case FAILED: + default: ++failure: + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); + if (vendor) +@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t, + uint32_t vendor; + auth_cfg_t *cfg; + +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ if (!this->method) + { +- this->msk = chunk_clone(this->msk); ++ DBG1(DBG_IKE, "received unexpected %N", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; ++ } ++ switch (this->method->get_msk(this->method, &this->msk)) ++ { ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "received %N but failed to establish MSK", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; + } + type = this->method->get_type(this->method, &vendor); + if (vendor) +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch new file mode 100644 index 0000000000..66e5047125 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch @@ -0,0 +1,210 @@ +From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: [PATCH] credential-manager: Do online revocation checks only after + basic trust chain validation + +This avoids querying URLs of potentially untrusted certificates, e.g. if +an attacker sends a specially crafted end-entity and intermediate CA +certificate with a CDP that points to a server that completes the +TCP handshake but then does not send any further data, which will block +the fetcher thread (depending on the plugin) for as long as the default +timeout for TCP. Doing that multiple times will block all worker threads, +leading to a DoS attack. + +The logging during the certificate verification obviously changes. The +following example shows the output of `pki --verify` for the current +strongswan.org certificate: + +new: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + reached self-signed root ca with a path length of 1 +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good +certificate trusted, lifetimes valid, certificate not revoked + +old: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good + reached self-signed root ca with a path length of 1 +certificate trusted, lifetimes valid, certificate not revoked + +Note that this also fixes an issue with the previous dual-use of the +`trusted` flag. It not only indicated whether the chain is trusted but +also whether the current issuer is the root anchor (the corresponding +flag in the `cert_validator_t` interface is called `anchor`). This was +a problem when building multi-level trust chains for pre-trusted +end-entity certificates (i.e. where `trusted` is TRUE from the start). +This caused the main loop to get aborted after the first intermediate CA +certificate and the mentioned `anchor` flag wasn't correct in any calls +to `cert_validator_t` implementations. + +Fixes: CVE-2022-40617 + +CVE: CVE-2022-40617 +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + .../credentials/credential_manager.c | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index e93b5943a3a7..798785544e41 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch new file mode 100644 index 0000000000..c0de1f1588 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch @@ -0,0 +1,46 @@ +From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 11 Jul 2023 12:12:25 +0200 +Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer + overflow + +Seems this was forgotten in the referenced commit and actually could lead +to a buffer overflow. Since charon-tkm is untrusted this isn't that +much of an issue but could at least be easily exploited for a DoS attack +as DH public values are set when handling IKE_SA_INIT requests. + +Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") +Fixes: CVE-2023-41913 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch] +CVE: CVE-2023-41913 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 2b2d103d03e9..6999ad360d7e 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, + return TRUE; + } + +- + METHOD(diffie_hellman_t, set_other_public_value, bool, + private_tkm_diffie_hellman_t *this, chunk_t value) + { + dh_pubvalue_type othervalue; ++ ++ if (!key_exchange_verify_pubkey(this->group, value) || ++ value.len > sizeof(othervalue.data)) ++ { ++ return FALSE; ++ } + othervalue.size = value.len; + memcpy(&othervalue.data, value.ptr, value.len); + +-- +2.34.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index 8a8809243a..9f676d0b18 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb @@ -11,6 +11,11 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://fix-funtion-parameter.patch \ file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \ file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \ + file://CVE-2021-41990.patch \ + file://CVE-2021-41991.patch \ + file://CVE-2021-45079.patch \ + file://CVE-2022-40617.patch \ + file://CVE-2023-41913.patch \ " SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29" diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.56.bb b/meta-networking/recipes-support/stunnel/stunnel_5.57.bb index 3411e5d0c7..8f6de571f3 100644 --- a/meta-networking/recipes-support/stunnel/stunnel_5.56.bb +++ b/meta-networking/recipes-support/stunnel/stunnel_5.57.bb @@ -6,7 +6,7 @@ SECTION = "net" # a combined work based on stunnel. Thus, the terms and conditions of the GNU # General Public License cover the whole combination. LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING.md;md5=d6d635d290ba1705821254a0278f1ef7" +LIC_FILES_CHKSUM = "file://COPYING.md;md5=6bae28875b3b599f8f621f4335b17955" DEPENDS = "autoconf-archive libnsl2 openssl" @@ -14,8 +14,7 @@ SRC_URI = "ftp://ftp.stunnel.org/stunnel/archive/5.x/${BP}.tar.gz \ file://fix-openssl-no-des.patch \ " -SRC_URI[md5sum] = "01b0ca9e071f582ff803a85d5ed72166" -SRC_URI[sha256sum] = "7384bfb356b9a89ddfee70b5ca494d187605bb516b4fff597e167f97e2236b22" +SRC_URI[sha256sum] = "af5ab973dde11807c38735b87bdd87563a47d2fa1c72a07929fcfce80a600fe1" inherit autotools diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch index 9b74e00c5b..84d4716f38 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch @@ -9,6 +9,7 @@ if we haven't captured all of it. (backported from commit e4add0b010ed6f2180dcb05a13026242ed935334) +CVE: CVE-2020-8037 Upstream-Status: Backport Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch new file mode 100644 index 0000000000..5f5c68ccd6 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch @@ -0,0 +1,111 @@ +From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 30 Sep 2020 11:37:30 -0700 +Subject: [PATCH] Handle very large -f files by rejecting them. + +_read(), on Windows, has a 32-bit size argument and a 32-bit return +value, so reject -f files that have more than 2^31-1 characters. + +Add some #defines so that, on Windows, we use _fstati64 to get the size +of that file, to handle large files. + +Don't assume that our definition for ssize_t is the same size as size_t; +by the time we want to print the return value of the read, we know it'll +fit into an int, so just cast it to int and print it with %d. + +(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77) + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86] + +Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> + +--- + netdissect-stdinc.h | 16 +++++++++++++++- + tcpdump.c | 15 ++++++++++++--- + 2 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h +index 8282c5846..9941c2a16 100644 +--- a/netdissect-stdinc.h ++++ b/netdissect-stdinc.h +@@ -149,10 +149,17 @@ + #ifdef _MSC_VER + #define stat _stat + #define open _open +-#define fstat _fstat + #define read _read + #define close _close + #define O_RDONLY _O_RDONLY ++ ++/* ++ * We define our_fstat64 as _fstati64, and define our_statb as ++ * struct _stati64, so we get 64-bit file sizes. ++ */ ++#define our_fstat _fstati64 ++#define our_statb struct _stati64 ++ + #endif /* _MSC_VER */ + + /* +@@ -211,6 +218,13 @@ typedef char* caddr_t; + + #include <arpa/inet.h> + ++/* ++ * We should have large file support enabled, if it's available, ++ * so just use fstat as our_fstat and struct stat as our_statb. ++ */ ++#define our_fstat fstat ++#define our_statb struct stat ++ + #endif /* _WIN32 */ + + #ifndef HAVE___ATTRIBUTE__ +diff --git a/tcpdump.c b/tcpdump.c +index 043bda1d7..8f27ba2a4 100644 +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n"; + #endif /* HAVE_CAP_NG_H */ + #endif /* HAVE_LIBCAP_NG */ + ++#include "netdissect-stdinc.h" + #include "netdissect.h" + #include "interface.h" + #include "addrtoname.h" +@@ -861,15 +862,22 @@ read_infile(char *fname) + { + register int i, fd, cc; + register char *cp; +- struct stat buf; ++ our_statb buf; + + fd = open(fname, O_RDONLY|O_BINARY); + if (fd < 0) + error("can't open %s: %s", fname, pcap_strerror(errno)); + +- if (fstat(fd, &buf) < 0) ++ if (our_fstat(fd, &buf) < 0) + error("can't stat %s: %s", fname, pcap_strerror(errno)); + ++ /* ++ * Reject files whose size doesn't fit into an int; a filter ++ * *that* large will probably be too big. ++ */ ++ if (buf.st_size > INT_MAX) ++ error("%s is too large", fname); ++ + cp = malloc((u_int)buf.st_size + 1); + if (cp == NULL) + error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, +@@ -878,7 +886,8 @@ read_infile(char *fname) + if (cc < 0) + error("read %s: %s", fname, pcap_strerror(errno)); + if (cc != buf.st_size) +- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size); ++ error("short read %s (%d != %d)", fname, (int) cc, ++ (int)buf.st_size); + + close(fd); + /* replace "# comment" with spaces */ diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb index 8f7bd59f18..66bf217751 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb @@ -18,6 +18,7 @@ SRC_URI = " \ file://add-ptest.patch \ file://run-ptest \ file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \ + file://CVE-2018-16301.patch \ " SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae" @@ -50,3 +51,8 @@ do_install_append() { do_compile_ptest() { oe_runmake buildtest-TESTS } + +#https://nvd.nist.gov/vuln/detail/CVE-2020-8036 +#Introduce in 4.9 by 246ca110 Autosar SOME/IP protocol support +#which does not exist in 4.9.3 +CVE_CHECK_WHITELIST += "CVE-2020-8036" diff --git a/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch new file mode 100644 index 0000000000..3ca9a831f4 --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch @@ -0,0 +1,37 @@ +From d3110859064b15408dbca1294dc7e31c2208504d Mon Sep 17 00:00:00 2001 +From: Gabriel Ganne <gabriel.ganne@gmail.com> +Date: Mon, 3 Aug 2020 08:26:38 +0200 +Subject: [PATCH] fix heap-buffer-overflow when DLT_JUNIPER_ETHER + +The test logic on datalen was inverted. + +Processing truncated packats should now raise a warning like the +following: + Warning: <pcap> was captured using a snaplen of 4 bytes. This may mean you have truncated packets. + +Fixes #616 #617 + +CVE: CVE-2020-24265 +CVE: CVE-2020-24266 +Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d] + +Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com> +Signed-off-by: Akash Hadke <akash.hadke@kpit.com> +Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> +--- + src/common/get.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/get.c b/src/common/get.c +index f9ee92d3..0517bf0a 100644 +--- a/src/common/get.c ++++ b/src/common/get.c +@@ -178,7 +178,7 @@ get_l2len(const u_char *pktdata, const int datalen, const int datalink) + break; + + case DLT_JUNIPER_ETHER: +- if (datalen >= 5) { ++ if (datalen < 5) { + l2_len = -1; + break; + } diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb index 39be950ad4..557d323311 100644 --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb @@ -6,7 +6,8 @@ SECTION = "net" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=890b830b22fd632e9ffd996df20338f8" -SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz" +SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \ + file://CVE-2020-24265-and-CVE-2020-24266.patch" SRC_URI[md5sum] = "53b52bf64f0b6b9443428e657b37bc6b" SRC_URI[sha256sum] = "ed2402caa9434ff5c74b2e7b31178c73e7c7c5c4ea1e1d0e2e39a7dc46958fde" diff --git a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb index 19bbf03f1d..c1ad203bc0 100644 --- a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb +++ b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb @@ -19,8 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/traceroute/traceroute/${BP}/${BP}.tar.gz \ file://filter-out-the-patches-from-subdirs.patch \ " -SRC_URI[md5sum] = "84d329d67abc3fb83fc8cb12aeaddaba" -SRC_URI[sha256sum] = "3669d22a34d3f38ed50caba18cd525ba55c5c00d5465f2d20d7472e5d81603b6" +SRC_URI[sha256sum] = "05ebc7aba28a9100f9bbae54ceecbf75c82ccf46bdfce8b5d64806459a7e0412" EXTRA_OEMAKE = "VPATH=${STAGING_LIBDIR}" diff --git a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb index 6200214acb..f4b3c28ae4 100644 --- a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb +++ b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb @@ -9,7 +9,7 @@ SECTION = "net" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06" -SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master \ +SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master;protocol=https \ file://0001-contrib-add-yocto-compatible-startup-scripts.patch \ " SRCREV="b60c4a472c856f0a98120b7259e991b3a6507eb5" diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch new file mode 100644 index 0000000000..1fc4a5fe38 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch @@ -0,0 +1,93 @@ +From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 13 May 2023 21:45:16 -0400 +Subject: GDSDB: Make sure our offset advances. + +add_uint_string() returns the next offset to use, not the number +of bytes consumed. So to consume all the bytes and make sure the +offset advances, return the entire reported tvb length, not the +number of bytes remaining. + +Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f + +Fixes #19068 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677] +CVE: CVE-2022-0585 & CVE-2023-2879 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c +index 95fed7e..950d68f 100644 +--- a/epan/dissectors/packet-gdsdb.c ++++ b/epan/dissectors/packet-gdsdb.c +@@ -15,6 +15,7 @@ + #include "config.h" + + #include <epan/packet.h> ++#include <epan/expert.h> + + void proto_register_gdsdb(void); + void proto_reg_handoff_gdsdb(void); +@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1; + static int hf_gdsdb_sqlresponse_messages = -1; + #endif + ++static expert_field ei_gdsdb_invalid_length = EI_INIT; ++ + enum + { + op_void = 0, +@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o + offset, 4, ENC_ASCII|ENC_BIG_ENDIAN); + length = dword_align(tvb_get_ntohl(tvb, offset))+4; + proto_item_set_len(ti, length); +- return offset + length; ++ int ret_offset = offset + length; ++ if (length < 4 || ret_offset < offset) { ++ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); ++ return tvb_reported_length(tvb); ++ } ++ return ret_offset; + } + + static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset) +@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U + offset, 4, ENC_BIG_ENDIAN); + + /* opcode < op_max */ ++ int old_offset = offset; + offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4); ++ if (offset <= old_offset) { ++ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length); ++ return tvb_reported_length_remaining(tvb, old_offset); ++ } + if (offset < 0) + { + /* But at this moment we don't know how much we will need */ +@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void) + &ett_gdsdb_connect_pref + }; + ++/* Expert info */ ++ static ei_register_info ei[] = { ++ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR, ++ "Invalid length", EXPFILL }}, ++ }; ++ + proto_gdsdb = proto_register_protocol( + "Firebird SQL Database Remote Protocol", + "FB/IB GDS DB", "gdsdb"); + + proto_register_field_array(proto_gdsdb, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); ++ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb); ++ expert_register_field_array(expert_gdsdb, ei, array_length(ei)); + } + + void +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch new file mode 100644 index 0000000000..938b7cf772 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch @@ -0,0 +1,52 @@ +From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 1 Dec 2022 20:46:15 -0500 +Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats + +The ofp_stats struct length field includes the fixed 4 bytes. +If the length is smaller than that, report the length error +and break out. In particular, a value of zero can cause +infinite loops if this isn't done. + + +(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f] +CVE: CVE-2022-4345 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + epan/dissectors/packet-openflow_v6.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c +index f3bd0ef..96a3233 100644 +--- a/epan/dissectors/packet-openflow_v6.c ++++ b/epan/dissectors/packet-openflow_v6.c +@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + static int + dissect_openflow_stats_v6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_) + { ++ proto_item *ti; + guint32 stats_length; + int oxs_end; + guint32 padding; + + proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA); + +- proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); ++ ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); + + oxs_end = offset + stats_length; + offset+=4; + ++ if (stats_length < 4) { ++ expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short); ++ return offset; ++ } ++ + while (offset < oxs_end) { + offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset); + } +-- +2.40.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch new file mode 100644 index 0000000000..e6fc158c3a --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch @@ -0,0 +1,153 @@ +From 35418a73f7c9cefebe392b1ea0f012fccaf89801 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 19 Aug 2020 23:58:20 -0700 +Subject: [PATCH] Add format_text_string(), which gets the length with + strlen(). + +format_text(alloc, string, strlen(string)) is a common idiom; provide +format_text_string(), which does the strlen(string) for you. (Any +string used in a %s to set the text of a protocol tree item, if it was +directly extracted from the packet, should be run through a format_text +routine, to ensure that it's valid UTF-8 and that control characters are +handled correctly.) + +Update comments while we're at it. + +Change-Id: Ia8549efa1c96510ffce97178ed4ff7be4b02eb6e +Reviewed-on: https://code.wireshark.org/review/38202 +Petri-Dish: Guy Harris <gharris@sonic.net> +Tested-by: Petri Dish Buildbot +Reviewed-by: Guy Harris <gharris@sonic.net> + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/35418a73f7c9cefebe392b1ea0f012fccaf89801] +Comment: to backport fix for CVE-2023-0667, add function format_text_string(). +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/strutil.c | 33 ++++++++++++++++++++++++++++---- + epan/strutil.h | 51 ++++++++++++++++++++++++++++++++++++++++++++++---- + 2 files changed, 76 insertions(+), 8 deletions(-) + +diff --git a/epan/strutil.c b/epan/strutil.c +index 347a173..bc3b19e 100644 +--- a/epan/strutil.c ++++ b/epan/strutil.c +@@ -193,10 +193,11 @@ get_token_len(const guchar *linep, const guchar *lineend, + #define UNPOOP 0x1F4A9 + + /* +- * Given a string, expected to be in UTF-8 but possibly containing +- * invalid sequences (as it may have come from packet data), generate +- * a valid UTF-8 string from it, allocated with the specified wmem +- * allocator, that: ++ * Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: + * + * shows printable Unicode characters as themselves; + * +@@ -493,6 +494,30 @@ format_text(wmem_allocator_t* allocator, const guchar *string, size_t len) + return fmtbuf; + } + ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ */ ++gchar * ++format_text_string(wmem_allocator_t* allocator, const guchar *string) ++{ ++ return format_text(allocator, string, strlen(string)); ++} ++ + /* + * Given a string, generate a string from it that shows non-printable + * characters as C-style escapes except a whitespace character +diff --git a/epan/strutil.h b/epan/strutil.h +index 2046cb0..705beb5 100644 +--- a/epan/strutil.h ++++ b/epan/strutil.h +@@ -46,18 +46,61 @@ WS_DLL_PUBLIC + int get_token_len(const guchar *linep, const guchar *lineend, + const guchar **next_token); + +-/** Given a string, generate a string from it that shows non-printable +- * characters as C-style escapes, and return a pointer to it. ++/** Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. + * + * @param allocator The wmem scope +- * @param line A pointer to the input string ++ * @param string A pointer to the input string + * @param len The length of the input string + * @return A pointer to the formatted string + * + * @see tvb_format_text() + */ + WS_DLL_PUBLIC +-gchar* format_text(wmem_allocator_t* allocator, const guchar *line, size_t len); ++gchar* format_text(wmem_allocator_t* allocator, const guchar *string, size_t len); ++ ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ * ++ * @param allocator The wmem scope ++ * @param string A pointer to the input string ++ * @return A pointer to the formatted string ++ * ++ * @see tvb_format_text() ++ */ ++WS_DLL_PUBLIC ++gchar* format_text_string(wmem_allocator_t* allocator, const guchar *string); + + /** + * Given a string, generate a string from it that shows non-printable +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch new file mode 100644 index 0000000000..3fc5296073 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch @@ -0,0 +1,66 @@ +From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 18 May 2023 18:06:36 -0400 +Subject: [PATCH] MS-MMS: Use format_text_string() + +The length of a string transcoded from UTF-16 to UTF-8 can be +shorter (or longer) than the original length in bytes in the packet. +Use the new string length, not the original length. + +Use format_text_string, which is a convenience function that +calls strlen. + +Fix #19086 + +(cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a] +CVE: CVE-2023-0667 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-ms-mms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c +index db1d2cc..3d5c7ee 100644 +--- a/epan/dissectors/packet-ms-mms.c ++++ b/epan/dissectors/packet-ms-mms.c +@@ -739,7 +739,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro + transport_info, "Transport: (%s)", transport_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); ++ format_text_string(pinfo->pool, (const guchar*)transport_info)); + + + /* Try to extract details from this string */ +@@ -836,7 +836,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", +- format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); ++ format_text_string(pinfo->pool, (const guchar*)server_version)); + } + offset += (server_version_length*2); + +@@ -890,7 +890,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); ++ format_text_string(pinfo->pool, (const guchar*)player_info)); + } + + /* Dissect info about where client wants to start playing from */ +@@ -965,7 +965,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); ++ format_text_string(pinfo->pool, (const guchar*)server_file)); + } + + /* Dissect media details from server */ +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch new file mode 100644 index 0000000000..42f8108301 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch @@ -0,0 +1,33 @@ +From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9] +CVE: CVE-2023-0668 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 2d2f4ad..47120f5 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1130,7 +1130,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch new file mode 100644 index 0000000000..2fbef6bae0 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch @@ -0,0 +1,62 @@ +From 3c8be14c827f1587da3c2b3bb0d9c04faff57413 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sun, 19 Mar 2023 15:16:39 -0400 +Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets + +Add a frame end routine for a global which is assigned to packet +scoped memory. It really should be made proto data, but is used +in a function in the header (that doesn't take the packet info +struct as an argument) and this fix needs to be made in stable +branches. + +Fix #18852 +--- +Upstream-Status: Backport from [https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff57413] +CVE: CVE-2023-1992 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c +index 680187b2653..3f250f0ea1c 100644 +--- a/epan/dissectors/packet-rpcrdma.c ++++ b/epan/dissectors/packet-rpcrdma.c +@@ -24,6 +24,7 @@ + #include <epan/addr_resolv.h> + + #include "packet-rpcrdma.h" ++#include "packet-frame.h" + #include "packet-infiniband.h" + #include "packet-iwarp-ddp-rdmap.h" + +@@ -285,6 +286,18 @@ void rpcrdma_insert_offset(gint offset) + wmem_array_append_one(gp_rdma_write_offsets, offset); + } + ++/* ++ * Reset the array of write offsets at the end of the frame. These ++ * are packet scoped, so they don't need to be freed, but we want ++ * to ensure that the global doesn't point to no longer allocated ++ * memory in a later packet. ++ */ ++static void ++reset_write_offsets(void) ++{ ++ gp_rdma_write_offsets = NULL; ++} ++ + /* Get conversation state, it is created if it does not exist */ + static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo) + { +@@ -1600,6 +1613,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data + if (write_size > 0 && !pinfo->fd->visited) { + /* Initialize array of write chunk offsets */ + gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint)); ++ register_frame_end_routine(pinfo, reset_write_offsets); + TRY { + /* + * Call the upper layer dissector to get a list of offsets +-- +GitLab + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..a6370f91cf --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch @@ -0,0 +1,117 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] +CVE: CVE-2023-2855 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/candump.c | 47 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 3eb17dd..954b509 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -57,9 +58,20 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + if (msg->is_fd) + { +- canfd_frame_t canfd_frame; ++ canfd_frame_t canfd_frame = {0}; ++ ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&canfd_frame, 0, sizeof(canfd_frame)); + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -69,10 +81,21 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + } + else + { +- can_frame_t can_frame; ++ can_frame_t can_frame = {0}; ++ ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&can_frame, 0, sizeof(can_frame)); +- can_frame.can_id = msg->id; ++ can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); + +@@ -86,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -193,9 +218,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -219,9 +242,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..1fb75353b4 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch @@ -0,0 +1,68 @@ +From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] +CVE: CVE-2023-2856 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 84e3def..fa77689 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -310,6 +310,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -366,7 +367,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -382,9 +383,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..150b4609bb --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch @@ -0,0 +1,94 @@ +From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105] +CVE: CVE-2023-2858 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 93da9a2..f835dfa 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1082,13 +1082,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info) + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1153,6 +1153,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1166,6 +1168,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1183,6 +1187,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1466,14 +1472,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +@@ -1580,7 +1586,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch new file mode 100644 index 0000000000..3a81a3c714 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch @@ -0,0 +1,38 @@ +From 44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d Mon Sep 17 00:00:00 2001 +From: Jaap Keuter <jaap.keuter@xs4all.nl> +Date: Thu, 27 Jul 2023 20:21:19 +0200 +Subject: [PATCH] CP2179: Handle timetag info response without records + +Fixes #19229 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d] +CVE: CVE-2023-2906 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-cp2179.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-cp2179.c b/epan/dissectors/packet-cp2179.c +index 142cac3..9fc9a47 100644 +--- a/epan/dissectors/packet-cp2179.c ++++ b/epan/dissectors/packet-cp2179.c +@@ -721,11 +721,14 @@ dissect_response_frame(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, int + proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN); + + num_records = tvb_get_guint8(tvb, offset) & 0x7F; ++ offset += 1; ++ ++ if (num_records == 0 || numberofcharacters <= 1) ++ break; ++ + recordsize = (numberofcharacters-1) / num_records; + num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */ + +- offset += 1; +- + for (x = 0; x < num_records; x++) + { + cp2179_event_tree = proto_tree_add_subtree_format(cp2179_proto_tree, tvb, offset, recordsize, ett_cp2179_event, NULL, "Event Record # %d", x+1); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..82098271ec --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch @@ -0,0 +1,97 @@ +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 +From: Gerald Combs <gerald@wireshark.org> +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] +CVE: CVE-2023-2952 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index f59d899..6c1445f 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch new file mode 100644 index 0000000000..5e92bd8a28 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch @@ -0,0 +1,231 @@ +From 75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 24 Jun 2023 00:34:50 -0400 +Subject: [PATCH] iscsi: Check bounds when extracting TargetAddress + +Use tvb_ functions that do bounds checking when parsing the +TargetAddress string, instead of incrementing a pointer to an +extracted char* and sometimes accidentally overrunning the +string. + +While we're there, go ahead and add support for IPv6 addresses. + +Fix #19164 + +(backported from commit 94349bbdaeb384b12d554dd65e7be7ceb0e93d21) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c] +CVE: CVE-2023-3649 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-iscsi.c | 146 +++++++++++++++++---------------- + 1 file changed, 75 insertions(+), 71 deletions(-) + +diff --git a/epan/dissectors/packet-iscsi.c b/epan/dissectors/packet-iscsi.c +index 8a80f49..08f44a8 100644 +--- a/epan/dissectors/packet-iscsi.c ++++ b/epan/dissectors/packet-iscsi.c +@@ -20,8 +20,6 @@ + + #include "config.h" + +-#include <stdio.h> +- + #include <epan/packet.h> + #include <epan/prefs.h> + #include <epan/conversation.h> +@@ -29,6 +27,7 @@ + #include "packet-scsi.h" + #include <epan/crc32-tvb.h> + #include <wsutil/crc32.h> ++#include <wsutil/inet_addr.h> + #include <wsutil/strtoi.h> + + void proto_register_iscsi(void); +@@ -512,70 +511,81 @@ typedef struct _iscsi_conv_data { + dissector for the address/port that TargetAddress points to. + (it starts to be common to use redirectors to point to non-3260 ports) + */ ++static address null_address = ADDRESS_INIT_NONE; ++ + static void +-iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, char *val, guint offset) ++iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, guint offset) + { +- address *addr = NULL; ++ address addr = ADDRESS_INIT_NONE; + guint16 port; +- char *value = wmem_strdup(wmem_packet_scope(), val); +- char *p = NULL, *pgt = NULL; +- +- if (value[0] == '[') { +- /* this looks like an ipv6 address */ +- p = strchr(value, ']'); +- if (p != NULL) { +- *p = 0; +- p += 2; /* skip past "]:" */ +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } ++ int colon_offset; ++ int end_offset; ++ char *ip_str, *port_str; ++ ++ colon_offset = tvb_find_guint8(tvb, offset, -1, ':'); ++ if (colon_offset == -1) { ++ /* RFC 7143 13.8 TargetAddress "If the TCP port is not specified, ++ * it is assumed to be the IANA-assigned default port for iSCSI", ++ * so nothing to do here. ++ */ ++ return; ++ } + +- /* can't handle ipv6 yet */ ++ /* We found a colon, so there's at least one byte and this won't fail. */ ++ if (tvb_get_guint8(tvb, offset) == '[') { ++ offset++; ++ /* could be an ipv6 address */ ++ end_offset = tvb_find_guint8(tvb, offset, -1, ']'); ++ if (end_offset == -1) { ++ return; + } +- } else { +- /* This is either a ipv4 address or a dns name */ +- int i0,i1,i2,i3; +- if (sscanf(value, "%d.%d.%d.%d", &i0,&i1,&i2,&i3) == 4) { +- /* looks like a ipv4 address */ +- p = strchr(value, ':'); +- if (p != NULL) { +- char *addr_data; +- +- *p++ = 0; +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } + +- addr_data = (char *) wmem_alloc(wmem_packet_scope(), 4); +- addr_data[0] = i0; +- addr_data[1] = i1; +- addr_data[2] = i2; +- addr_data[3] = i3; +- +- addr = wmem_new(wmem_packet_scope(), address); +- addr->type = AT_IPv4; +- addr->len = 4; +- addr->data = addr_data; ++ /* look for the colon before the port, if any */ ++ colon_offset = tvb_find_guint8(tvb, end_offset, -1, ':'); ++ if (colon_offset == -1) { ++ return; ++ } + +- if (!ws_strtou16(p, NULL, &port)) { +- proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, +- tvb, offset + (guint)strlen(value), (guint)strlen(p), "Invalid port: %s", p); +- } +- } ++ ws_in6_addr *ip6_addr = wmem_new(pinfo->pool, ws_in6_addr); ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, end_offset - offset, ENC_ASCII); ++ if (ws_inet_pton6(ip_str, ip6_addr)) { ++ /* looks like a ipv6 address */ ++ set_address(&addr, AT_IPv6, sizeof(ws_in6_addr), ip6_addr); ++ } + ++ } else { ++ /* This is either a ipv4 address or a dns name */ ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, colon_offset - offset, ENC_ASCII); ++ ws_in4_addr *ip4_addr = wmem_new(pinfo->pool, ws_in4_addr); ++ if (ws_inet_pton4(ip_str, ip4_addr)) { ++ /* looks like a ipv4 address */ ++ set_address(&addr, AT_IPv4, 4, ip4_addr); + } ++ /* else a DNS host name; we could, theoretically, try to use ++ * name resolution information in the capture to lookup the address. ++ */ + } + ++ /* Extract the port */ ++ end_offset = tvb_find_guint8(tvb, colon_offset, -1, ','); ++ int port_len; ++ if (end_offset == -1) { ++ port_len = tvb_reported_length_remaining(tvb, colon_offset + 1); ++ } else { ++ port_len = end_offset - (colon_offset + 1); ++ } ++ port_str = tvb_get_string_enc(pinfo->pool, tvb, colon_offset + 1, port_len, ENC_ASCII); ++ if (!ws_strtou16(port_str, NULL, &port)) { ++ proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, ++ tvb, colon_offset + 1, port_len, "Invalid port: %s", port_str); ++ return; ++ } + + /* attach a conversation dissector to this address/port tuple */ +- if (addr && !pinfo->fd->visited) { ++ if (!addresses_equal(&addr, &null_address) && !pinfo->fd->visited) { + conversation_t *conv; + +- conv = conversation_new(pinfo->num, addr, addr, ENDPOINT_TCP, port, port, NO_ADDR2|NO_PORT2); ++ conv = conversation_new(pinfo->num, &addr, &null_address, ENDPOINT_TCP, port, 0, NO_ADDR2|NO_PORT2); + if (conv == NULL) { + return; + } +@@ -587,30 +597,24 @@ iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, + static gint + addTextKeys(packet_info *pinfo, proto_tree *tt, tvbuff_t *tvb, gint offset, guint32 text_len) { + const gint limit = offset + text_len; ++ tvbuff_t *keyvalue_tvb; ++ int len, value_offset; + + while(offset < limit) { +- char *key = NULL, *value = NULL; +- gint len = tvb_strnlen(tvb, offset, limit - offset); +- +- if(len == -1) { +- len = limit - offset; +- } else { +- len = len + 1; +- } +- +- key = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_ASCII); +- if (key == NULL) { +- break; +- } +- value = strchr(key, '='); +- if (value == NULL) { ++ /* RFC 7143 6.1 Text Format: "Every key=value pair, including the ++ * last or only pair in a LTDS, MUST be followed by one null (0x00) ++ * delimiter. ++ */ ++ proto_tree_add_item_ret_length(tt, hf_iscsi_KeyValue, tvb, offset, -1, ENC_ASCII, &len); ++ keyvalue_tvb = tvb_new_subset_length(tvb, offset, len); ++ value_offset = tvb_find_guint8(keyvalue_tvb, 0, len, '='); ++ if (value_offset == -1) { + break; + } +- *value++ = 0; ++ value_offset++; + +- proto_tree_add_item(tt, hf_iscsi_KeyValue, tvb, offset, len, ENC_ASCII|ENC_NA); +- if (!strcmp(key, "TargetAddress")) { +- iscsi_dissect_TargetAddress(pinfo, tvb, tt, value, offset + (guint)strlen("TargetAddress") + 2); ++ if (tvb_strneql(keyvalue_tvb, 0, "TargetAddress=", strlen("TargetAddress=")) == 0) { ++ iscsi_dissect_TargetAddress(pinfo, keyvalue_tvb, tt, value_offset); + } + + offset += len; +@@ -2941,7 +2945,7 @@ proto_register_iscsi(void) + }, + { &hf_iscsi_KeyValue, + { "KeyValue", "iscsi.keyvalue", +- FT_STRING, BASE_NONE, NULL, 0, ++ FT_STRINGZ, BASE_NONE, NULL, 0, + "Key/value pair", HFILL } + }, + { &hf_iscsi_Text_F, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch new file mode 100644 index 0000000000..c4dfb6c37d --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch @@ -0,0 +1,42 @@ +From a8586fde3a6512466afb2a660538ef3fe712076b Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 23 Nov 2023 13:47:51 -0500 +Subject: [PATCH] gvcp: Don't try to add a NULL string to a column + +This was caught as an invalid argument by g_strlcpy before 4.2, +but it was never a good idea. + +Fix #19496 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/a8586fde3a6512466afb2a660538ef3fe712076b] +CVE: CVE-2024-0208 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gvcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/epan/dissectors/packet-gvcp.c b/epan/dissectors/packet-gvcp.c +index 2de4552..b94ddea 100644 +--- a/epan/dissectors/packet-gvcp.c ++++ b/epan/dissectors/packet-gvcp.c +@@ -2222,15 +2222,12 @@ static void dissect_readreg_ack(proto_tree *gvcp_telegram_tree, tvbuff_t *tvb, p + if (addr_list_size > 0) + { + address_string = get_register_name_from_address(*((guint32*)wmem_array_index(gvcp_trans->addr_list, 0)), gvcp_info, &is_custom_register); ++ col_append_str(pinfo->cinfo, COL_INFO, address_string); + } + + if (num_registers) + { +- col_append_fstr(pinfo->cinfo, COL_INFO, "%s Value=0x%08X", address_string, tvb_get_ntohl(tvb, offset)); +- } +- else +- { +- col_append_str(pinfo->cinfo, COL_INFO, address_string); ++ col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "Value=0x%08X", tvb_get_ntohl(tvb, offset)); + } + } + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch new file mode 100644 index 0000000000..54438dd870 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch @@ -0,0 +1,22 @@ +Fix update to build for alt arch machine. + +Commit 9ca6e39c7ee26570e29dc87332ffb0f6c1d0e4a4 changed the UseLemon to use +the target lemon built by the target wireshark. Revert to use the one built by +wireshark-native. + +Upstream-Status: Inappropriate [configuration] +Signed-off: Armin Kuster <akuster@mvista.com> + +Index: wireshark-3.2.18/cmake/modules/UseLemon.cmake +=================================================================== +--- wireshark-3.2.18.orig/cmake/modules/UseLemon.cmake ++++ wireshark-3.2.18/cmake/modules/UseLemon.cmake +@@ -13,7 +13,7 @@ MACRO(ADD_LEMON_FILES _source _generated + # These files are generated as side-effect + ${_out}.h + ${_out}.out +- COMMAND $<TARGET_FILE:lemon> ++ COMMAND lemon + -T${_lemonpardir}/lempar.c + -d. + ${_in} diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index d284824149..8054cbb5aa 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb @@ -8,11 +8,25 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native " -SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz" - +SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \ + file://fix_lemon_path.patch \ + file://CVE-2023-2855.patch \ + file://CVE-2023-2856.patch \ + file://CVE-2023-2858.patch \ + file://CVE-2023-2952.patch \ + file://CVE-2023-0667-pre1.patch \ + file://CVE-2023-0667.patch \ + file://CVE-2023-0668.patch \ + file://CVE-2023-2906.patch \ + file://CVE-2023-3649.patch \ + file://CVE-2022-0585-CVE-2023-2879.patch \ + file://CVE-2022-4345.patch \ + file://CVE-2024-0208.patch \ + file://CVE-2023-1992.patch \ + " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "1e9e239f2449f240a7910ed598084ccaf8ea308b2b46b196c5adbec59612226c" +SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887" PE = "1" diff --git a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb index bab75fee3f..6b83cbd522 100644 --- a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb +++ b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4cfd939b1d7e6aba9fcefb7f6e2fd45d" DEPENDS = "libnl" -SRC_URI = "git://github.com/linux-wpan/wpan-tools" +SRC_URI = "git://github.com/linux-wpan/wpan-tools;branch=master;protocol=https" SRCREV = "a316ca2caa746d60817400e5bf646c2820f09273" S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb index de4fa16426..75a206c6b8 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" inherit setuptools3 -SRC_URI = "git://github.com/sivel/speedtest-cli.git" +SRC_URI = "git://github.com/sivel/speedtest-cli.git;branch=master;protocol=https" SRCREV = "c58ad3367bf27f4b4a4d5b1bca29ebd574731c5d" S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb index 065243ccfe..604d989ed9 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb @@ -21,8 +21,8 @@ SRCREV_inih = "4b10c654051a86556dfdb634c891b6c3224c4109" SRCREV_FORMAT = "rwmem_inih" SRC_URI = " \ - git://github.com/tomba/rwmem.git;protocol=https;name=rwmem \ - git://github.com/benhoyt/inih.git;protocol=https;name=inih;nobranch=1;destsuffix=git/ext/inih \ + git://github.com/tomba/rwmem.git;protocol=https;name=rwmem;branch=master \ + git://github.com/benhoyt/inih.git;protocol=https;name=inih;branch=master;destsuffix=git/ext/inih \ " S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index 58841ef319..cc15a8de31 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -14,7 +14,7 @@ inherit scons dos2unix siteinfo python3native PV = "4.2.2" #v4.2.2 SRCREV = "a0bbbff6ada159e19298d37946ac8dc4b497eadf" -SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2 \ +SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2;protocol=https \ file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \ file://0001-Use-long-long-instead-of-int64_t.patch \ file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \ @@ -56,6 +56,8 @@ EXTRA_OESCONS = "--prefix=${D}${prefix} \ LINKFLAGS='${LDFLAGS}' \ CXXFLAGS='${CXXFLAGS}' \ TARGET_ARCH=${TARGET_ARCH} \ + MONGO_VERSION=${PV} \ + OBJCOPY=${OBJCOPY} \ --ssl \ --disable-warnings-as-errors \ --use-system-zlib \ diff --git a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb index 275b984e47..f0a0c67975 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=18810669f13b87348459e611d31ab760 \ PV = "0.5.9+git${SRCPV}" SRCREV = "3a3d622d9bb74c44fa67bc20573751a207514134" -SRC_URI = "git://github.com/lcdproc/lcdproc \ +SRC_URI = "git://github.com/lcdproc/lcdproc;branch=master;protocol=https \ file://0001-Fix-parallel-build-fix-port-internal-make-dependenci.patch \ file://0002-Include-limits.h-for-PATH_MAX-definition.patch \ file://0003-Fix-non-x86-platforms-on-musl.patch \ diff --git a/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb b/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb index 90db9c3f3e..fa1bad021c 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb @@ -39,5 +39,3 @@ RRECOMMENDS_${PN} = "python3-matplotlib python3-numpy" PACKAGE_BEFORE_PN = "smemcap" FILES_smemcap = "${bindir}/smemcap" - -BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb index b21212a430..de2341da4c 100644 --- a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb +++ b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb @@ -9,7 +9,7 @@ SRCREV = "ad7e646700d14b81413297bda02fb7fe96613c3f" PV = "1.0+git${SRCPV}" -SRC_URI = "git://github.com/ssvb/cpuburn-arm.git \ +SRC_URI = "git://github.com/ssvb/cpuburn-arm.git;branch=master;protocol=https \ file://0001-cpuburn-a8.S-Remove-.func-.endfunc.patch \ file://0002-burn.S-Add.patch \ file://0003-burn.S-Remove-.func-.endfunc.patch \ diff --git a/meta-oe/recipes-benchmark/fio/fio_3.17.bb b/meta-oe/recipes-benchmark/fio/fio_3.17.bb index 759d1087c0..bb3243a5cc 100644 --- a/meta-oe/recipes-benchmark/fio/fio_3.17.bb +++ b/meta-oe/recipes-benchmark/fio/fio_3.17.bb @@ -23,7 +23,7 @@ PACKAGECONFIG ??= "${PACKAGECONFIG_NUMA}" PACKAGECONFIG[numa] = ",--disable-numa,numactl" SRCREV = "08ce9dc20b8a4e55db7af6d869ddfa49b4a02d03" -SRC_URI = "git://git.kernel.dk/fio.git \ +SRC_URI = "git://git.kernel.dk/fio.git;branch=master \ file://0001-update-the-interpreter-paths.patch \ file://python3_shebangs.patch \ " diff --git a/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch b/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch new file mode 100644 index 0000000000..c56fa64e58 --- /dev/null +++ b/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch @@ -0,0 +1,76 @@ +From b85ba8c3ff3fb9ae708576ccef03434d2ef73054 Mon Sep 17 00:00:00 2001 +From: Martin Jansa <Martin.Jansa@gmail.com> +Date: Tue, 14 Jun 2022 09:54:18 +0000 +Subject: [PATCH] waflib: fix compatibility with python-3.11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* https://docs.python.org/3.11/whatsnew/3.11.html#changes-in-the-python-api + + open(), io.open(), codecs.open() and fileinput.FileInput no longer + accept 'U' (“universal newlineâ€) in the file mode. This flag was + deprecated since Python 3.3. In Python 3, the “universal newline†is + used by default when a file is open in text mode. The newline parameter + of open() controls how universal newlines works. (Contributed by Victor + Stinner in bpo-37330.) + +* fixes: +Waf: The wscript in '/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git' is unreadable +Traceback (most recent call last): + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Scripting.py", line 104, in waf_entry_point + set_main_module(os.path.normpath(os.path.join(Context.run_dir,Context.WSCRIPT_FILE))) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Scripting.py", line 135, in set_main_module + Context.g_module=Context.load_module(file_path) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Context.py", line 343, in load_module + code=Utils.readf(path,m='rU',encoding=encoding) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Utils.py", line 117, in readf + f=open(fname,m) + ^^^^^^^^^^^^^ +ValueError: invalid mode: 'rUb' + +Upstream-Status: Submitted [https://github.com/glmark2/glmark2/pull/178] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + waflib/ConfigSet.py | 2 +- + waflib/Context.py | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/waflib/ConfigSet.py b/waflib/ConfigSet.py +index 16142a2..87de4ad 100644 +--- a/waflib/ConfigSet.py ++++ b/waflib/ConfigSet.py +@@ -140,7 +140,7 @@ class ConfigSet(object): + Utils.writef(filename,''.join(buf)) + def load(self,filename): + tbl=self.table +- code=Utils.readf(filename,m='rU') ++ code=Utils.readf(filename,m='r') + for m in re_imp.finditer(code): + g=m.group + tbl[g(2)]=eval(g(3)) +diff --git a/waflib/Context.py b/waflib/Context.py +index 8f2cbfb..f3e35ae 100644 +--- a/waflib/Context.py ++++ b/waflib/Context.py +@@ -109,7 +109,7 @@ class Context(ctx): + cache[node]=True + self.pre_recurse(node) + try: +- function_code=node.read('rU',encoding) ++ function_code=node.read('r',encoding) + exec(compile(function_code,node.abspath(),'exec'),self.exec_dict) + finally: + self.post_recurse(node) +@@ -340,7 +340,7 @@ def load_module(path,encoding=None): + pass + module=imp.new_module(WSCRIPT_FILE) + try: +- code=Utils.readf(path,m='rU',encoding=encoding) ++ code=Utils.readf(path,encoding=encoding) + except EnvironmentError: + raise Errors.WafError('Could not read the file %r'%path) + module_dir=os.path.dirname(path) diff --git a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb index 6d20bbdaf1..2b2ff53c7e 100644 --- a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb +++ b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb @@ -14,10 +14,11 @@ PV = "20191226+${SRCPV}" COMPATIBLE_HOST_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '.*-linux*', 'null', d)}" -SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https \ - file://python3.patch" +SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https;branch=master \ + file://python3.patch \ + file://0001-waflib-fix-compatibility-with-python-3.11.patch \ + " SRCREV = "72dabc5d72b49c6d45badeb8a941ba4d829b0bd6" - S = "${WORKDIR}/git" inherit waf pkgconfig features_check diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb index 4a520e3be5..86e5fef530 100644 --- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb +++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb @@ -19,3 +19,5 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}" PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch new file mode 100644 index 0000000000..450cdde1f8 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch @@ -0,0 +1,46 @@ +From 0ef151550d96cc4460f98832df84b4a1e87c65e9 Mon Sep 17 00:00:00 2001 +From: "Bruce A. Mah" <bmah@es.net> +Date: Fri, 7 Jul 2023 11:35:02 -0700 +Subject: [PATCH] Fix memory allocation hazard (#1542). (#1543) + +Reported by: @someusername123 on GitHub +--- + src/iperf_api.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/iperf_api.c b/src/iperf_api.c +index f2d4162..a95e024 100644 +--- a/src/iperf_api.c ++++ b/src/iperf_api.c +@@ -2670,6 +2670,7 @@ static cJSON * + JSON_read(int fd) + { + uint32_t hsize, nsize; ++ size_t strsize; + char *str; + cJSON *json = NULL; + int rc; +@@ -2682,7 +2683,9 @@ JSON_read(int fd) + if (Nread(fd, (char*) &nsize, sizeof(nsize), Ptcp) >= 0) { + hsize = ntohl(nsize); + /* Allocate a buffer to hold the JSON */ +- str = (char *) calloc(sizeof(char), hsize+1); /* +1 for trailing null */ ++ strsize = hsize + 1; /* +1 for trailing NULL */ ++ if (strsize) { ++ str = (char *) calloc(sizeof(char), strsize); + if (str != NULL) { + rc = Nread(fd, str, hsize, Ptcp); + if (rc >= 0) { +@@ -2701,6 +2704,10 @@ JSON_read(int fd) + } + } + free(str); ++ } ++ else { ++ printf("WARNING: Data length overflow\n"); ++ } + } + return json; + } +-- +2.25.1 diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb index 98d2faabfd..19be5d94c0 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb @@ -13,8 +13,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9088fe7ffdccd042f7645f1012d7f70" DEPENDS = "openssl" -SRC_URI = "git://github.com/esnet/iperf.git \ +SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ + file://0001-Fix-memory-allocation-hazard-1542-.-1543.patch \ " SRCREV = "dfcea9f6a09ead01089a3c9d20c7032f2c0af2c1" @@ -28,3 +29,5 @@ PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sc CFLAGS += "-D_GNU_SOURCE" EXTRA_OECONF = "--with-openssl=${RECIPE_SYSROOT}${prefix}" + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb index e813894316..60286c3249 100644 --- a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb +++ b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a825c63897c53f487ef900598c31527" SRCREV = "b6b2ce5f9f87a09b14499cb00c600c601f022634" PV = "20110206+git${SRCPV}" -SRC_URI = "git://git.musl-libc.org/libc-bench \ +SRC_URI = "git://git.musl-libc.org/libc-bench;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb index 4768d7b63a..d6c35d0b3a 100644 --- a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb +++ b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb @@ -12,7 +12,7 @@ PE = "1" SRCREV = "e6499ff92b4a7dcffbd131d1f5d24933e48c3f20" SRC_URI = " \ - git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https \ + git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https;branch=master \ file://skip-checking-LIB32-and-LIB64-if-they-point-to-the-s.patch \ file://libhugetlbfs-avoid-search-host-library-path-for-cros.patch \ file://tests-Makefile-install-static-4G-edge-testcases.patch \ diff --git a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb index a2966e99dd..d30ea5a01b 100644 --- a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb +++ b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ea9d559f985fb4834317d8ed6b9e58" SRCREV = "fb72e5e5f0879231f38e0e826a98a6ca2d1ca38e" -SRC_URI = "git://github.com/stressapptest/stressapptest \ +SRC_URI = "git://github.com/stressapptest/stressapptest;branch=master;protocol=https \ file://libcplusplus-compat.patch \ file://read_sysfs_for_cachesize.patch \ " diff --git a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb index 2ce10f9c44..9c20d68ef2 100644 --- a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb +++ b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=22;md5=879b9bbb60851454885b5fa47eb6b34 PV = "0.4.0+git${SRCPV}" SRCREV = "a2cf6d7e382e3aea1eb39173174d9fa28cad15f3" -SRC_URI = "git://github.com/ssvb/tinymembench.git \ +SRC_URI = "git://github.com/ssvb/tinymembench.git;branch=master;protocol=https \ file://0001-asm-Delete-.func-.endfunc-directives.patch \ " diff --git a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb index 88fcc0200f..589d62717c 100644 --- a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb +++ b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "a2f0c39d5f21596bb9f5223e895c0ff210b265d0" # SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/cpufreq/cpufrequtils.git -SRC_URI = "git://github.com/emagii/cpufrequtils.git \ +SRC_URI = "git://github.com/emagii/cpufrequtils.git;branch=master;protocol=https \ file://0001-dont-unset-cflags.patch \ " diff --git a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb index b89fe6771c..e42adc6dc0 100644 --- a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb +++ b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb @@ -11,7 +11,7 @@ PV = "0.18+git${SRCPV}" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/grondo/edac-utils \ +SRC_URI = "git://github.com/grondo/edac-utils;branch=master;protocol=https \ file://make-init-script-be-able-to-automatically-load-EDAC-.patch \ file://add-restart-to-initscript.patch \ file://edac.service \ diff --git a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb index f9ae9aad9a..1a9cb18c5c 100644 --- a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb +++ b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb @@ -16,7 +16,7 @@ inherit autotools systemd SYSTEMD_SERVICE_${PN} = "ledmon.service" # 0.93 -SRC_URI = "git://github.com/intel/ledmon;branch=master \ +SRC_URI = "git://github.com/intel/ledmon;branch=master;protocol=https \ file://0002-include-sys-select.h-and-sys-types.h.patch \ file://0001-Don-t-build-with-Werror-to-fix-compile-error.patch \ " diff --git a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb index 890db55bcc..37a98a0996 100644 --- a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb +++ b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb @@ -10,7 +10,7 @@ DEPENDS = " \ virtual/libiconv \ " -SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https \ +SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https;branch=master \ file://fancontrol.init \ file://sensord.init \ " @@ -95,7 +95,7 @@ RDEPENDS_${PN} += " \ ${PN}-sensorsdetect \ ${PN}-sensorsconfconvert \ ${PN}-pwmconfig \ - ${PN}-isatools \ + ${@bb.utils.contains('MACHINE_FEATURES', 'x86', '${PN}-isatools', '', d)} \ " # libsensors packages diff --git a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb index 4f4bb2dfab..9344c17dce 100644 --- a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb +++ b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022" DEPENDS = "util-linux" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/linux-nvme/nvme-cli.git \ +SRC_URI = "git://github.com/linux-nvme/nvme-cli.git;branch=master;protocol=https \ file://0001-fix-musl-compilation.patch \ " SRCREV = "1d84d6ae0c7d7ceff5a73fe174dde8b0005f6108" diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb index 6b4decce51..64595d59c1 100644 --- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb +++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb @@ -9,7 +9,7 @@ DEPENDS += "glib-2.0-native" PV = "0.2+git${SRCPV}" -SRC_URI = "git://github.com/labapart/gattlib.git \ +SRC_URI = "git://github.com/labapart/gattlib.git;branch=master;protocol=https \ file://dbus-avoid-strange-chars-from-the-build-dir.patch \ file://0001-cmake-Use-GNUInstallDirs.patch \ " @@ -28,5 +28,5 @@ EXTRA_OECMAKE += "-DGATTLIB_BUILD_DOCS=OFF" inherit pkgconfig cmake -FILES_${PN} = "${libdir}/* ${includedir}/*" -FILES_${PN}-dev = "${includedir}/*" +FILES_${PN} = "${libdir}/*" +FILES_${PN}-dev = "${includedir}/* ${libdir}/pkgconfig" diff --git a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb index 8c97662df5..bee757d5a6 100644 --- a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb +++ b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a0fd36908af843bcee10cb6dfc47fa67 \ SRCREV = "95ec1ab31ee97411fc37156d12061adcf0331598" PV = "1.5.3+git${SRCPV}" -SRC_URI = "git://github.com/cminyard/gensio;protocol=https \ +SRC_URI = "git://github.com/cminyard/gensio;protocol=https;branch=master \ file://0001-filter-Rename-some-variables-to-tr_stdxxx.patch \ " diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch new file mode 100644 index 0000000000..1bedb4f753 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch @@ -0,0 +1,45 @@ +From 14fab0772db19297c82dd1b8612c9335369dce41 Mon Sep 17 00:00:00 2001 +From: Alexander Vickberg <wickbergster@gmail.com> +Date: Mon, 17 May 2021 17:54:13 +0200 +Subject: [PATCH] Prepare for CVE-2021-30004.patch + +Without this building fails for CONFIG_TLS=internal + +Signed-off-by: Alexander Vickberg <wickbergster@gmail.com> +--- + src/tls/asn1.h | 6 ++++++ + src/utils/includes.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/src/tls/asn1.h b/src/tls/asn1.h +index 6bd7df5..77b94ef 100644 +--- a/src/tls/asn1.h ++++ b/src/tls/asn1.h +@@ -66,6 +66,12 @@ void asn1_oid_to_str(const struct asn1_oid *oid, char *buf, size_t len); + unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len); + int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b); + ++static inline bool asn1_is_null(const struct asn1_hdr *hdr) ++{ ++ return hdr->class == ASN1_CLASS_UNIVERSAL && ++ hdr->tag == ASN1_TAG_NULL; ++} ++ + extern struct asn1_oid asn1_sha1_oid; + extern struct asn1_oid asn1_sha256_oid; + +diff --git a/src/utils/includes.h b/src/utils/includes.h +index 75513fc..741fc9c 100644 +--- a/src/utils/includes.h ++++ b/src/utils/includes.h +@@ -18,6 +18,7 @@ + + #include <stdlib.h> + #include <stddef.h> ++#include <stdbool.h> + #include <stdio.h> + #include <stdarg.h> + #include <string.h> +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch new file mode 100644 index 0000000000..9214615d12 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch @@ -0,0 +1,854 @@ +From 018edec9b2bd3db20605117c32ff79c1e625c432 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 11 Sep 2019 12:34:28 +0300 +Subject: [PATCH] Remove IAPP functionality from hostapd + +IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been +maintained nor is there any expectation of the withdrawn trial-use +recommended practice to be maintained in the future. Furthermore, +implementation of IAPP in hostapd was not complete, i.e., only parts of +the recommended practice were included. The main item of some real use +long time ago was the Layer 2 Update frame to update bridges when a STA +roams within an ESS, but that functionality has, in practice, been moved +to kernel drivers to provide better integration with the networking +stack. + +CVE: CVE-2019-5061 + +Upstream-Status: Backport + +Signed-off-by: Jouni Malinen <j@w1.fi> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + hostapd/Android.mk | 5 - + hostapd/Makefile | 5 - + hostapd/android.config | 3 - + hostapd/config_file.c | 3 +- + hostapd/defconfig | 3 - + hostapd/hostapd.conf | 6 - + hostapd/main.c | 3 - + src/ap/Makefile | 2 - + src/ap/ap_config.h | 4 - + src/ap/hostapd.c | 14 - + src/ap/hostapd.h | 2 - + src/ap/iapp.c | 542 ---------------------- + src/ap/iapp.h | 39 -- + src/utils/wpa_debug.h | 1 - + 14 files changed, 1 insertion(+), 633 deletions(-) + delete mode 100644 src/ap/iapp.c + delete mode 100644 src/ap/iapp.h + +diff --git a/hostapd/Android.mk b/hostapd/Android.mk +index 3183323ef..a87ac8144 100644 +--- a/hostapd/Android.mk ++++ b/hostapd/Android.mk +@@ -205,11 +205,6 @@ endif + + L_CFLAGS += -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX + +-ifdef CONFIG_IAPP +-L_CFLAGS += -DCONFIG_IAPP +-OBJS += src/ap/iapp.c +-endif +- + ifdef CONFIG_RSN_PREAUTH + L_CFLAGS += -DCONFIG_RSN_PREAUTH + CONFIG_L2_PACKET=y +diff --git a/hostapd/Makefile b/hostapd/Makefile +index f7f4c785b..42bb9e4c8 100644 +--- a/hostapd/Makefile ++++ b/hostapd/Makefile +@@ -248,11 +248,6 @@ ifndef CONFIG_NO_CTRL_IFACE + CFLAGS += -DCONFIG_CTRL_IFACE + endif + +-ifdef CONFIG_IAPP +-CFLAGS += -DCONFIG_IAPP +-OBJS += ../src/ap/iapp.o +-endif +- + ifdef CONFIG_RSN_PREAUTH + CFLAGS += -DCONFIG_RSN_PREAUTH + CONFIG_L2_PACKET=y +diff --git a/hostapd/android.config b/hostapd/android.config +index efe252332..e2e6c7821 100644 +--- a/hostapd/android.config ++++ b/hostapd/android.config +@@ -38,9 +38,6 @@ CONFIG_DRIVER_NL80211_QCA=y + # Driver interface for no driver (e.g., RADIUS server only) + #CONFIG_DRIVER_NONE=y + +-# IEEE 802.11F/IAPP +-#CONFIG_IAPP=y +- + # WPA2/IEEE 802.11i RSN pre-authentication + #CONFIG_RSN_PREAUTH=y + +diff --git a/hostapd/config_file.c b/hostapd/config_file.c +index 680f17ee0..0d340d252 100644 +--- a/hostapd/config_file.c ++++ b/hostapd/config_file.c +@@ -2712,8 +2712,7 @@ static int hostapd_config_fill(struct hostapd_config *conf, + bss->eapol_key_index_workaround = atoi(pos); + #ifdef CONFIG_IAPP + } else if (os_strcmp(buf, "iapp_interface") == 0) { +- bss->ieee802_11f = 1; +- os_strlcpy(bss->iapp_iface, pos, sizeof(bss->iapp_iface)); ++ wpa_printf(MSG_INFO, "DEPRECATED: iapp_interface not used"); + #endif /* CONFIG_IAPP */ + } else if (os_strcmp(buf, "own_ip_addr") == 0) { + if (hostapd_parse_ip_addr(pos, &bss->own_ip_addr)) { +diff --git a/hostapd/defconfig b/hostapd/defconfig +index b1fb56c3b..1a3d9f9ba 100644 +--- a/hostapd/defconfig ++++ b/hostapd/defconfig +@@ -44,9 +44,6 @@ CONFIG_LIBNL32=y + # Driver interface for no driver (e.g., RADIUS server only) + #CONFIG_DRIVER_NONE=y + +-# IEEE 802.11F/IAPP +-CONFIG_IAPP=y +- + # WPA2/IEEE 802.11i RSN pre-authentication + CONFIG_RSN_PREAUTH=y + +diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf +index 6c96a760a..a3c698480 100644 +--- a/hostapd/hostapd.conf ++++ b/hostapd/hostapd.conf +@@ -41,7 +41,6 @@ interface=wlan0 + # bit 2 (4) = RADIUS + # bit 3 (8) = WPA + # bit 4 (16) = driver interface +-# bit 5 (32) = IAPP + # bit 6 (64) = MLME + # + # Levels (minimum value for logged events): +@@ -1243,11 +1242,6 @@ eap_server=0 + # Whether to enable ERP on the EAP server. + #eap_server_erp=1 + +-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### +- +-# Interface to be used for IAPP broadcast packets +-#iapp_interface=eth0 +- + + ##### RADIUS client configuration ############################################# + # for IEEE 802.1X with external Authentication Server, IEEE 802.11 +diff --git a/hostapd/main.c b/hostapd/main.c +index 08896ffe2..8bfe24281 100644 +--- a/hostapd/main.c ++++ b/hostapd/main.c +@@ -81,9 +81,6 @@ static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module, + case HOSTAPD_MODULE_DRIVER: + module_str = "DRIVER"; + break; +- case HOSTAPD_MODULE_IAPP: +- module_str = "IAPP"; +- break; + case HOSTAPD_MODULE_MLME: + module_str = "MLME"; + break; +diff --git a/src/ap/Makefile b/src/ap/Makefile +index bd3f33b77..54e48a0dd 100644 +--- a/src/ap/Makefile ++++ b/src/ap/Makefile +@@ -18,7 +18,6 @@ CFLAGS += -DCONFIG_IEEE80211R_AP + CFLAGS += -DCONFIG_WPS + CFLAGS += -DCONFIG_PROXYARP + CFLAGS += -DCONFIG_IPV6 +-CFLAGS += -DCONFIG_IAPP + CFLAGS += -DCONFIG_AIRTIME_POLICY + + LIB_OBJS= \ +@@ -41,7 +40,6 @@ LIB_OBJS= \ + hostapd.o \ + hs20.o \ + hw_features.o \ +- iapp.o \ + ieee802_11_auth.o \ + ieee802_11.o \ + ieee802_11_ht.o \ +diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h +index e219160b0..17eb0682b 100644 +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -325,10 +325,6 @@ struct hostapd_bss_config { + int erp_send_reauth_start; + char *erp_domain; + +- int ieee802_11f; /* use IEEE 802.11f (IAPP) */ +- char iapp_iface[IFNAMSIZ + 1]; /* interface used with IAPP broadcast +- * frames */ +- + enum macaddr_acl { + ACCEPT_UNLESS_DENIED = 0, + DENY_UNLESS_ACCEPTED = 1, +diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c +index ef988b634..bf7b1f89e 100644 +--- a/src/ap/hostapd.c ++++ b/src/ap/hostapd.c +@@ -28,7 +28,6 @@ + #include "accounting.h" + #include "ap_list.h" + #include "beacon.h" +-#include "iapp.h" + #include "ieee802_1x.h" + #include "ieee802_11_auth.h" + #include "vlan_init.h" +@@ -361,8 +360,6 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd) + hapd->beacon_set_done = 0; + + wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface); +- iapp_deinit(hapd->iapp); +- hapd->iapp = NULL; + accounting_deinit(hapd); + hostapd_deinit_wpa(hapd); + vlan_deinit(hapd); +@@ -1296,13 +1293,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first) + return -1; + } + +- if (conf->ieee802_11f && +- (hapd->iapp = iapp_init(hapd, conf->iapp_iface)) == NULL) { +- wpa_printf(MSG_ERROR, "IEEE 802.11F (IAPP) initialization " +- "failed."); +- return -1; +- } +- + #ifdef CONFIG_INTERWORKING + if (gas_serv_init(hapd)) { + wpa_printf(MSG_ERROR, "GAS server initialization failed"); +@@ -3056,10 +3046,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta, + hostapd_prune_associations(hapd, sta->addr); + ap_sta_clear_disconnect_timeouts(hapd, sta); + +- /* IEEE 802.11F (IAPP) */ +- if (hapd->conf->ieee802_11f) +- iapp_new_station(hapd->iapp, sta); +- + #ifdef CONFIG_P2P + if (sta->p2p_ie == NULL && !sta->no_p2p_set) { + sta->no_p2p_set = 1; +diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h +index 5b859b8a9..2358d1664 100644 +--- a/src/ap/hostapd.h ++++ b/src/ap/hostapd.h +@@ -179,8 +179,6 @@ struct hostapd_data { + u64 acct_session_id; + struct radius_das_data *radius_das; + +- struct iapp_data *iapp; +- + struct hostapd_cached_radius_acl *acl_cache; + struct hostapd_acl_query_data *acl_queries; + +diff --git a/src/ap/iapp.c b/src/ap/iapp.c +deleted file mode 100644 +index 2556da30c..000000000 +--- a/src/ap/iapp.c ++++ /dev/null +@@ -1,542 +0,0 @@ +-/* +- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP) +- * Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi> +- * +- * This software may be distributed under the terms of the BSD license. +- * See README for more details. +- * +- * Note: IEEE 802.11F-2003 was a experimental use specification. It has expired +- * and IEEE has withdrawn it. In other words, it is likely better to look at +- * using some other mechanism for AP-to-AP communication than extending the +- * implementation here. +- */ +- +-/* TODO: +- * Level 1: no administrative or security support +- * (e.g., static BSSID to IP address mapping in each AP) +- * Level 2: support for dynamic mapping of BSSID to IP address +- * Level 3: support for encryption and authentication of IAPP messages +- * - add support for MOVE-notify and MOVE-response (this requires support for +- * finding out IP address for previous AP using RADIUS) +- * - add support for Send- and ACK-Security-Block to speedup IEEE 802.1X during +- * reassociation to another AP +- * - implement counters etc. for IAPP MIB +- * - verify endianness of fields in IAPP messages; are they big-endian as +- * used here? +- * - RADIUS connection for AP registration and BSSID to IP address mapping +- * - TCP connection for IAPP MOVE, CACHE +- * - broadcast ESP for IAPP ADD-notify +- * - ESP for IAPP MOVE messages +- * - security block sending/processing +- * - IEEE 802.11 context transfer +- */ +- +-#include "utils/includes.h" +-#include <net/if.h> +-#include <sys/ioctl.h> +-#include <netpacket/packet.h> +- +-#include "utils/common.h" +-#include "utils/eloop.h" +-#include "common/ieee802_11_defs.h" +-#include "hostapd.h" +-#include "ap_config.h" +-#include "ieee802_11.h" +-#include "sta_info.h" +-#include "iapp.h" +- +- +-#define IAPP_MULTICAST "224.0.1.178" +-#define IAPP_UDP_PORT 3517 +-#define IAPP_TCP_PORT 3517 +- +-struct iapp_hdr { +- u8 version; +- u8 command; +- be16 identifier; +- be16 length; +- /* followed by length-6 octets of data */ +-} __attribute__ ((packed)); +- +-#define IAPP_VERSION 0 +- +-enum IAPP_COMMAND { +- IAPP_CMD_ADD_notify = 0, +- IAPP_CMD_MOVE_notify = 1, +- IAPP_CMD_MOVE_response = 2, +- IAPP_CMD_Send_Security_Block = 3, +- IAPP_CMD_ACK_Security_Block = 4, +- IAPP_CMD_CACHE_notify = 5, +- IAPP_CMD_CACHE_response = 6, +-}; +- +- +-/* ADD-notify - multicast UDP on the local LAN */ +-struct iapp_add_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- be16 seq_num; +-} __attribute__ ((packed)); +- +- +-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */ +-struct iapp_layer2_update { +- u8 da[ETH_ALEN]; /* broadcast */ +- u8 sa[ETH_ALEN]; /* STA addr */ +- be16 len; /* 6 */ +- u8 dsap; /* null DSAP address */ +- u8 ssap; /* null SSAP address, CR=Response */ +- u8 control; +- u8 xid_info[3]; +-} __attribute__ ((packed)); +- +- +-/* MOVE-notify - unicast TCP */ +-struct iapp_move_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u16 ctx_block_len; +- /* followed by ctx_block_len bytes */ +-} __attribute__ ((packed)); +- +- +-/* MOVE-response - unicast TCP */ +-struct iapp_move_response { +- u8 addr_len; /* ETH_ALEN */ +- u8 status; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u16 ctx_block_len; +- /* followed by ctx_block_len bytes */ +-} __attribute__ ((packed)); +- +-enum { +- IAPP_MOVE_SUCCESSFUL = 0, +- IAPP_MOVE_DENIED = 1, +- IAPP_MOVE_STALE_MOVE = 2, +-}; +- +- +-/* CACHE-notify */ +-struct iapp_cache_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u8 current_ap[ETH_ALEN]; +- u16 ctx_block_len; +- /* ctx_block_len bytes of context block followed by 16-bit context +- * timeout */ +-} __attribute__ ((packed)); +- +- +-/* CACHE-response - unicast TCP */ +-struct iapp_cache_response { +- u8 addr_len; /* ETH_ALEN */ +- u8 status; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +-} __attribute__ ((packed)); +- +-enum { +- IAPP_CACHE_SUCCESSFUL = 0, +- IAPP_CACHE_STALE_CACHE = 1, +-}; +- +- +-/* Send-Security-Block - unicast TCP */ +-struct iapp_send_security_block { +- u8 iv[8]; +- u16 sec_block_len; +- /* followed by sec_block_len bytes of security block */ +-} __attribute__ ((packed)); +- +- +-/* ACK-Security-Block - unicast TCP */ +-struct iapp_ack_security_block { +- u8 iv[8]; +- u8 new_ap_ack_authenticator[48]; +-} __attribute__ ((packed)); +- +- +-struct iapp_data { +- struct hostapd_data *hapd; +- u16 identifier; /* next IAPP identifier */ +- struct in_addr own, multicast; +- int udp_sock; +- int packet_sock; +-}; +- +- +-static void iapp_send_add(struct iapp_data *iapp, u8 *mac_addr, u16 seq_num) +-{ +- char buf[128]; +- struct iapp_hdr *hdr; +- struct iapp_add_notify *add; +- struct sockaddr_in addr; +- +- /* Send IAPP ADD-notify to remove possible association from other APs +- */ +- +- hdr = (struct iapp_hdr *) buf; +- hdr->version = IAPP_VERSION; +- hdr->command = IAPP_CMD_ADD_notify; +- hdr->identifier = host_to_be16(iapp->identifier++); +- hdr->length = host_to_be16(sizeof(*hdr) + sizeof(*add)); +- +- add = (struct iapp_add_notify *) (hdr + 1); +- add->addr_len = ETH_ALEN; +- add->reserved = 0; +- os_memcpy(add->mac_addr, mac_addr, ETH_ALEN); +- +- add->seq_num = host_to_be16(seq_num); +- +- os_memset(&addr, 0, sizeof(addr)); +- addr.sin_family = AF_INET; +- addr.sin_addr.s_addr = iapp->multicast.s_addr; +- addr.sin_port = htons(IAPP_UDP_PORT); +- if (sendto(iapp->udp_sock, buf, (char *) (add + 1) - buf, 0, +- (struct sockaddr *) &addr, sizeof(addr)) < 0) +- wpa_printf(MSG_INFO, "sendto[IAPP-ADD]: %s", strerror(errno)); +-} +- +- +-static void iapp_send_layer2_update(struct iapp_data *iapp, u8 *addr) +-{ +- struct iapp_layer2_update msg; +- +- /* Send Level 2 Update Frame to update forwarding tables in layer 2 +- * bridge devices */ +- +- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) +- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */ +- +- os_memset(msg.da, 0xff, ETH_ALEN); +- os_memcpy(msg.sa, addr, ETH_ALEN); +- msg.len = host_to_be16(6); +- msg.dsap = 0; /* NULL DSAP address */ +- msg.ssap = 0x01; /* NULL SSAP address, CR Bit: Response */ +- msg.control = 0xaf; /* XID response lsb.1111F101. +- * F=0 (no poll command; unsolicited frame) */ +- msg.xid_info[0] = 0x81; /* XID format identifier */ +- msg.xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ +- msg.xid_info[2] = 1 << 1; /* XID sender's receive window size (RW) +- * FIX: what is correct RW with 802.11? */ +- +- if (send(iapp->packet_sock, &msg, sizeof(msg), 0) < 0) +- wpa_printf(MSG_INFO, "send[L2 Update]: %s", strerror(errno)); +-} +- +- +-/** +- * iapp_new_station - IAPP processing for a new STA +- * @iapp: IAPP data +- * @sta: The associated station +- */ +-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta) +-{ +- u16 seq = 0; /* TODO */ +- +- if (iapp == NULL) +- return; +- +- /* IAPP-ADD.request(MAC Address, Sequence Number, Timeout) */ +- hostapd_logger(iapp->hapd, sta->addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, "IAPP-ADD.request(seq=%d)", seq); +- iapp_send_layer2_update(iapp, sta->addr); +- iapp_send_add(iapp, sta->addr, seq); +- +- /* TODO: If this was reassociation: +- * IAPP-MOVE.request(MAC Address, Sequence Number, Old AP, +- * Context Block, Timeout) +- * TODO: Send IAPP-MOVE to the old AP; Map Old AP BSSID to +- * IP address */ +-} +- +- +-static void iapp_process_add_notify(struct iapp_data *iapp, +- struct sockaddr_in *from, +- struct iapp_hdr *hdr, int len) +-{ +- struct iapp_add_notify *add = (struct iapp_add_notify *) (hdr + 1); +- struct sta_info *sta; +- +- if (len != sizeof(*add)) { +- wpa_printf(MSG_INFO, "Invalid IAPP-ADD packet length %d (expected %lu)", +- len, (unsigned long) sizeof(*add)); +- return; +- } +- +- sta = ap_get_sta(iapp->hapd, add->mac_addr); +- +- /* IAPP-ADD.indication(MAC Address, Sequence Number) */ +- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_INFO, +- "Received IAPP ADD-notify (seq# %d) from %s:%d%s", +- be_to_host16(add->seq_num), +- inet_ntoa(from->sin_addr), ntohs(from->sin_port), +- sta ? "" : " (STA not found)"); +- +- if (!sta) +- return; +- +- /* TODO: could use seq_num to try to determine whether last association +- * to this AP is newer than the one advertised in IAPP-ADD. Although, +- * this is not really a reliable verification. */ +- +- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "Removing STA due to IAPP ADD-notify"); +- ap_sta_disconnect(iapp->hapd, sta, NULL, 0); +-} +- +- +-/** +- * iapp_receive_udp - Process IAPP UDP frames +- * @sock: File descriptor for the socket +- * @eloop_ctx: IAPP data (struct iapp_data *) +- * @sock_ctx: Not used +- */ +-static void iapp_receive_udp(int sock, void *eloop_ctx, void *sock_ctx) +-{ +- struct iapp_data *iapp = eloop_ctx; +- int len, hlen; +- unsigned char buf[128]; +- struct sockaddr_in from; +- socklen_t fromlen; +- struct iapp_hdr *hdr; +- +- /* Handle incoming IAPP frames (over UDP/IP) */ +- +- fromlen = sizeof(from); +- len = recvfrom(iapp->udp_sock, buf, sizeof(buf), 0, +- (struct sockaddr *) &from, &fromlen); +- if (len < 0) { +- wpa_printf(MSG_INFO, "iapp_receive_udp - recvfrom: %s", +- strerror(errno)); +- return; +- } +- +- if (from.sin_addr.s_addr == iapp->own.s_addr) +- return; /* ignore own IAPP messages */ +- +- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "Received %d byte IAPP frame from %s%s\n", +- len, inet_ntoa(from.sin_addr), +- len < (int) sizeof(*hdr) ? " (too short)" : ""); +- +- if (len < (int) sizeof(*hdr)) +- return; +- +- hdr = (struct iapp_hdr *) buf; +- hlen = be_to_host16(hdr->length); +- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "RX: version=%d command=%d id=%d len=%d\n", +- hdr->version, hdr->command, +- be_to_host16(hdr->identifier), hlen); +- if (hdr->version != IAPP_VERSION) { +- wpa_printf(MSG_INFO, "Dropping IAPP frame with unknown version %d", +- hdr->version); +- return; +- } +- if (hlen > len) { +- wpa_printf(MSG_INFO, "Underflow IAPP frame (hlen=%d len=%d)", +- hlen, len); +- return; +- } +- if (hlen < len) { +- wpa_printf(MSG_INFO, "Ignoring %d extra bytes from IAPP frame", +- len - hlen); +- len = hlen; +- } +- +- switch (hdr->command) { +- case IAPP_CMD_ADD_notify: +- iapp_process_add_notify(iapp, &from, hdr, len - sizeof(*hdr)); +- break; +- case IAPP_CMD_MOVE_notify: +- /* TODO: MOVE is using TCP; so move this to TCP handler once it +- * is implemented.. */ +- /* IAPP-MOVE.indication(MAC Address, New BSSID, +- * Sequence Number, AP Address, Context Block) */ +- /* TODO: process */ +- break; +- default: +- wpa_printf(MSG_INFO, "Unknown IAPP command %d", hdr->command); +- break; +- } +-} +- +- +-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface) +-{ +- struct ifreq ifr; +- struct sockaddr_ll addr; +- int ifindex; +- struct sockaddr_in *paddr, uaddr; +- struct iapp_data *iapp; +- struct ip_mreqn mreq; +- int reuseaddr = 1; +- +- iapp = os_zalloc(sizeof(*iapp)); +- if (iapp == NULL) +- return NULL; +- iapp->hapd = hapd; +- iapp->udp_sock = iapp->packet_sock = -1; +- +- /* TODO: +- * open socket for sending and receiving IAPP frames over TCP +- */ +- +- iapp->udp_sock = socket(PF_INET, SOCK_DGRAM, 0); +- if (iapp->udp_sock < 0) { +- wpa_printf(MSG_INFO, "iapp_init - socket[PF_INET,SOCK_DGRAM]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&ifr, 0, sizeof(ifr)); +- os_strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); +- if (ioctl(iapp->udp_sock, SIOCGIFINDEX, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFINDEX): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- ifindex = ifr.ifr_ifindex; +- +- if (ioctl(iapp->udp_sock, SIOCGIFADDR, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFADDR): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- paddr = (struct sockaddr_in *) &ifr.ifr_addr; +- if (paddr->sin_family != AF_INET) { +- wpa_printf(MSG_INFO, "IAPP: Invalid address family %i (SIOCGIFADDR)", +- paddr->sin_family); +- iapp_deinit(iapp); +- return NULL; +- } +- iapp->own.s_addr = paddr->sin_addr.s_addr; +- +- if (ioctl(iapp->udp_sock, SIOCGIFBRDADDR, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFBRDADDR): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- paddr = (struct sockaddr_in *) &ifr.ifr_addr; +- if (paddr->sin_family != AF_INET) { +- wpa_printf(MSG_INFO, "Invalid address family %i (SIOCGIFBRDADDR)", +- paddr->sin_family); +- iapp_deinit(iapp); +- return NULL; +- } +- inet_aton(IAPP_MULTICAST, &iapp->multicast); +- +- os_memset(&uaddr, 0, sizeof(uaddr)); +- uaddr.sin_family = AF_INET; +- uaddr.sin_port = htons(IAPP_UDP_PORT); +- +- if (setsockopt(iapp->udp_sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr, +- sizeof(reuseaddr)) < 0) { +- wpa_printf(MSG_INFO, +- "iapp_init - setsockopt[UDP,SO_REUSEADDR]: %s", +- strerror(errno)); +- /* +- * Ignore this and try to continue. This is fine for single +- * BSS cases, but may fail if multiple BSSes enable IAPP. +- */ +- } +- +- if (bind(iapp->udp_sock, (struct sockaddr *) &uaddr, +- sizeof(uaddr)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - bind[UDP]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&mreq, 0, sizeof(mreq)); +- mreq.imr_multiaddr = iapp->multicast; +- mreq.imr_address.s_addr = INADDR_ANY; +- mreq.imr_ifindex = 0; +- if (setsockopt(iapp->udp_sock, SOL_IP, IP_ADD_MEMBERSHIP, &mreq, +- sizeof(mreq)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - setsockopt[UDP,IP_ADD_MEMBERSHIP]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- iapp->packet_sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); +- if (iapp->packet_sock < 0) { +- wpa_printf(MSG_INFO, "iapp_init - socket[PF_PACKET,SOCK_RAW]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&addr, 0, sizeof(addr)); +- addr.sll_family = AF_PACKET; +- addr.sll_ifindex = ifindex; +- if (bind(iapp->packet_sock, (struct sockaddr *) &addr, +- sizeof(addr)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - bind[PACKET]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- if (eloop_register_read_sock(iapp->udp_sock, iapp_receive_udp, +- iapp, NULL)) { +- wpa_printf(MSG_INFO, "Could not register read socket for IAPP"); +- iapp_deinit(iapp); +- return NULL; +- } +- +- wpa_printf(MSG_INFO, "IEEE 802.11F (IAPP) using interface %s", iface); +- +- /* TODO: For levels 2 and 3: send RADIUS Initiate-Request, receive +- * RADIUS Initiate-Accept or Initiate-Reject. IAPP port should actually +- * be openned only after receiving Initiate-Accept. If Initiate-Reject +- * is received, IAPP is not started. */ +- +- return iapp; +-} +- +- +-void iapp_deinit(struct iapp_data *iapp) +-{ +- struct ip_mreqn mreq; +- +- if (iapp == NULL) +- return; +- +- if (iapp->udp_sock >= 0) { +- os_memset(&mreq, 0, sizeof(mreq)); +- mreq.imr_multiaddr = iapp->multicast; +- mreq.imr_address.s_addr = INADDR_ANY; +- mreq.imr_ifindex = 0; +- if (setsockopt(iapp->udp_sock, SOL_IP, IP_DROP_MEMBERSHIP, +- &mreq, sizeof(mreq)) < 0) { +- wpa_printf(MSG_INFO, "iapp_deinit - setsockopt[UDP,IP_DEL_MEMBERSHIP]: %s", +- strerror(errno)); +- } +- +- eloop_unregister_read_sock(iapp->udp_sock); +- close(iapp->udp_sock); +- } +- if (iapp->packet_sock >= 0) { +- eloop_unregister_read_sock(iapp->packet_sock); +- close(iapp->packet_sock); +- } +- os_free(iapp); +-} +diff --git a/src/ap/iapp.h b/src/ap/iapp.h +deleted file mode 100644 +index c22118342..000000000 +--- a/src/ap/iapp.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* +- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP) +- * Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi> +- * +- * This software may be distributed under the terms of the BSD license. +- * See README for more details. +- */ +- +-#ifndef IAPP_H +-#define IAPP_H +- +-struct iapp_data; +- +-#ifdef CONFIG_IAPP +- +-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta); +-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface); +-void iapp_deinit(struct iapp_data *iapp); +- +-#else /* CONFIG_IAPP */ +- +-static inline void iapp_new_station(struct iapp_data *iapp, +- struct sta_info *sta) +-{ +-} +- +-static inline struct iapp_data * iapp_init(struct hostapd_data *hapd, +- const char *iface) +-{ +- return NULL; +-} +- +-static inline void iapp_deinit(struct iapp_data *iapp) +-{ +-} +- +-#endif /* CONFIG_IAPP */ +- +-#endif /* IAPP_H */ +diff --git a/src/utils/wpa_debug.h b/src/utils/wpa_debug.h +index 1fe0b7db7..c94c4391f 100644 +--- a/src/utils/wpa_debug.h ++++ b/src/utils/wpa_debug.h +@@ -305,7 +305,6 @@ void hostapd_logger_register_cb(hostapd_logger_cb_func func); + #define HOSTAPD_MODULE_RADIUS 0x00000004 + #define HOSTAPD_MODULE_WPA 0x00000008 + #define HOSTAPD_MODULE_DRIVER 0x00000010 +-#define HOSTAPD_MODULE_IAPP 0x00000020 + #define HOSTAPD_MODULE_MLME 0x00000040 + + enum hostapd_logger_level { +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch new file mode 100644 index 0000000000..54c405b539 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch @@ -0,0 +1,43 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +CVE: CVE-2021-0326 + +Upstream-Status: Backport + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52ae..5cbfc217f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch new file mode 100644 index 0000000000..fedff76b18 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch @@ -0,0 +1,54 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +CVE: CVE-2021-27803 + +Upstream-Status: Backport + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f..05fd59349 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 68dc123702..a9780bc6db 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb @@ -11,7 +11,12 @@ SRC_URI = " \ file://defconfig \ file://init \ file://hostapd.service \ + file://0001-Prepare-for-CVE-2021-30004.patch.patch \ file://CVE-2019-16275.patch \ + file://CVE-2019-5061.patch \ + file://CVE-2021-0326.patch \ + file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8" diff --git a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb index 25500e6501..1606f10cf9 100644 --- a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb +++ b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb504b67c50331fc78734fed90fb0e09" DEPENDS = "ell" -SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git" +SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git;branch=master" SRCREV = "aa3dc1b95348dea177e9d8c2c3063b29e20fe2e9" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch new file mode 100644 index 0000000000..fe871cecb3 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch @@ -0,0 +1,121 @@ +From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 7 Jul 2021 11:47:44 +1200 +Subject: [PATCH] Fix KDC null deref on bad encrypted challenge + +The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check +to avoid further processing if the armor key is NULL. However, this +check is bypassed by a call to k5memdup0() which overwrites retval +with 0 if the allocation succeeds. If the armor key is NULL, a call +to krb5_c_fx_cf2_simple() will then dereference it, resulting in a +crash. Add a check before the k5memdup0() call to avoid overwriting +retval. + +CVE-2021-36222: + +In MIT krb5 releases 1.16 and later, an unauthenticated attacker can +cause a null dereference in the KDC by sending a request containing a +PA-ENCRYPTED-CHALLENGE padata element without using FAST. + +[ghudson@mit.edu: trimmed patch; added test case; edited commit +message] + +ticket: 9007 (new) +tags: pullup +target_version: 1.19-next +target_version: 1.18-next + +CVE: CVE-2021-36222 + +Upstream-Status: Backport +[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + kdc/kdc_preauth_ec.c | 3 ++- + tests/Makefile.in | 1 + + tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++ + 3 files changed, 49 insertions(+), 1 deletion(-) + create mode 100644 src/tests/t_cve-2021-36222.py + +diff --git a/kdc/kdc_preauth_ec.c b/kdc/kdc_preauth_ec.c +index 7e636b3f9..43a9902cc 100644 +--- a/kdc/kdc_preauth_ec.c ++++ b/kdc/kdc_preauth_ec.c +@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + } + + /* Check for a configured FAST ec auth indicator. */ +- realmstr = k5memdup0(realm.data, realm.length, &retval); ++ if (retval == 0) ++ realmstr = k5memdup0(realm.data, realm.length, &retval); + if (realmstr != NULL) + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + realmstr, +diff --git a/tests/Makefile.in b/tests/Makefile.in +index fc6fcc0c3..1a1938306 100644 +--- a/tests/Makefile.in ++++ b/tests/Makefile.in +@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self + $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) + $(RM) au.log + $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ +diff --git a/tests/t_cve-2021-36222.py b/tests/t_cve-2021-36222.py +new file mode 100644 +index 000000000..57e04993b +--- /dev/null ++++ b/tests/t_cve-2021-36222.py +@@ -0,0 +1,46 @@ ++import socket ++from k5test import * ++ ++realm = K5Realm() ++ ++# CVE-2021-36222 KDC null dereference on encrypted challenge preauth ++# without FAST ++ ++s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++a = (hostname, realm.portbase) ++ ++m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE ++ 'A103' '0201' '05' # [1] pvno = 5 ++ 'A203' '0201' '0A' # [2] msg-type = 10 ++ 'A30E' '300C' # [3] padata = SEQUENCE OF ++ '300A' # SEQUENCE ++ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE ++ 'A202' '0400' # [2] padata-value = "" ++ 'A48180' '307E' # [4] req-body = SEQUENCE ++ 'A007' '0305' '0000000000' # [0] kdc-options = 0 ++ 'A120' '301E' # [1] cname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A20D' '1B0B' '4B5242544553542E434F4D' ++ # [2] realm = KRBTEST.COM ++ 'A320' '301E' # [3] sname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A511' '180F' '31393934303631303036303331375A' ++ # [5] till = 19940610060317Z ++ 'A703' '0201' '00' # [7] nonce = 0 ++ 'A808' '3006' # [8] etype = SEQUENCE OF ++ '020112' '020111') # aes256-cts aes128-cts ++ ++s.sendto(bytes.fromhex(m), a) ++ ++# Make sure kinit still works. ++realm.kinit(realm.user_princ, password('user')) ++ ++success('CVE-2021-36222 regression test') +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch new file mode 100644 index 0000000000..6d04bf8980 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch @@ -0,0 +1,110 @@ +From 4e661f0085ec5f969c76c0896a34322c6c432de4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 17 Oct 2022 20:25:11 -0400 +Subject: [PATCH] Fix integer overflows in PAC parsing + +In krb5_parse_pac(), check for buffer counts large enough to threaten +integer overflow in the header length and memory length calculations. +Avoid potential integer overflows when checking the length of each +buffer. Credit to OSS-Fuzz for discovering one of the issues. + +CVE-2022-42898: + +In MIT krb5 releases 1.8 and later, an authenticated attacker may be +able to cause a KDC or kadmind process to crash by reading beyond the +bounds of allocated memory, creating a denial of service. A +privileged attacker may similarly be able to cause a Kerberos or GSS +application service to crash. On 32-bit platforms, an attacker can +also cause insufficient memory to be allocated for the result, +potentially leading to remote code execution in a KDC, kadmind, or GSS +or Kerberos application server process. An attacker with the +privileges of a cross-realm KDC may be able to extract secrets from a +KDC process's memory by having them copied into the PAC of a new +ticket. + +(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583) + +ticket: 9074 +version_fixed: 1.19.4 + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4] +CVE: CVE-2022-42898 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index cc74f37..70428a1 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -27,6 +27,8 @@ + #include "k5-int.h" + #include "authdata.h" + ++#define MAX_BUFFERS 4096 ++ + /* draft-brezak-win2k-krb-authz-00 */ + + /* +@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, + if (version != 0) + return EINVAL; + ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) ++ return ERANGE; ++ + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); + if (len < header_len) + return ERANGE; +@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, + krb5_pac_free(context, pac); + return EINVAL; + } +- if (buffer->Offset < header_len || +- buffer->Offset + buffer->cbBufferSize > len) { ++ if (buffer->Offset < header_len || buffer->Offset > len || ++ buffer->cbBufferSize > len - buffer->Offset) { + krb5_pac_free(context, pac); + return ERANGE; + } +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c +index 7b756a2..2353e9f 100644 +--- a/src/lib/krb5/krb/t_pac.c ++++ b/src/lib/krb5/krb/t_pac.c +@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 + }; + ++static const unsigned char fuzz1[] = { ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 ++}; ++ ++static const unsigned char fuzz2[] = { ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, ++ 0x20, 0x20 ++}; ++ + static const char *s4u_principal = "w2k8u@ACME.COM"; + static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; + +@@ -646,6 +656,14 @@ main(int argc, char **argv) + krb5_free_principal(context, sep); + } + ++ /* Check problematic PACs found by fuzzing. */ ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ + /* + * Test empty free + */ +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb index 6164c82480..ebcfbc524c 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb @@ -30,6 +30,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://CVE-2021-36222.patch \ + file://CVE-2022-42898.patch;striplevel=2 \ " SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878" SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181" diff --git a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb index 908b98d8c5..b1a9ed7ec6 100644 --- a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb +++ b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb @@ -12,7 +12,7 @@ DEPENDS = "libplist usbmuxd libusbmuxd libtasn1 gnutls libgcrypt" SRCREV = "fb71aeef10488ed7b0e60a1c8a553193301428c0" PV = "1.2.0+git${SRCPV}" SRC_URI = "\ - git://github.com/libimobiledevice/libimobiledevice;protocol=https \ + git://github.com/libimobiledevice/libimobiledevice;protocol=https;branch=master \ file://configure-fix-largefile.patch \ " diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb index 07a7a1d239..2537963dda 100644 --- a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb +++ b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://libndp.org/" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://github.com/jpirko/libndp \ +SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \ " # tag for v1.6 SRCREV = "96674e7d4f4d569c2c961e865cc16152dfab5f09" diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb index 3ee69554b6..b4094dd6f3 100644 --- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb +++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" DEPENDS = "zlib libsigc++-2.0 openssl cppunit" -SRC_URI = "git://github.com/rakshasa/libtorrent \ +SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \ file://don-t-run-code-while-configuring-package.patch \ " SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1" diff --git a/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch new file mode 100644 index 0000000000..426388c3bf --- /dev/null +++ b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch @@ -0,0 +1,32 @@ +From 40dad53252e82eb4ee6e0c000e0c9ab15c7af312 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:51:40 +0100 +Subject: [PATCH] fix: always zero-terminate idna output + +CVE: CVE-2024-24806 +Upstream commit: 0f2d7e784a256b54b2385043438848047bc2a629 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +--- + src/idna.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/idna.c b/src/idna.c +index 13ffac6b..874f1caf 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -284,8 +284,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + return rc; + } + +- if (d < de) +- *d++ = '\0'; ++ if (d >= de) ++ return UV_EINVAL; + ++ *d++ = '\0'; + return d - ds; /* Number of bytes written. */ + } +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch new file mode 100644 index 0000000000..f231cf96b9 --- /dev/null +++ b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch @@ -0,0 +1,30 @@ +From 6b8bce71f3ea435fcb286d49df1204c23ef3ea01 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:52:38 +0100 +Subject: [PATCH] fix: reject zero-length idna inputs + +CVE: CVE-2024-24806 +Upstream commit: 3530bcc30350d4a6ccf35d2f7b33e23292b9de70 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +--- + src/idna.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/idna.c b/src/idna.c +index 874f1caf..97edf06c 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -254,6 +254,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + char* ds; + int rc; + ++ if (s == se) ++ return UV_EINVAL; ++ + ds = d; + + for (si = s; si < se; /* empty */) { +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb index 7577207318..da99b41fdd 100644 --- a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb +++ b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb @@ -5,8 +5,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47" SRCREV = "533b738838ad8407032e14b6772b29ef9af63cfa" -SRC_URI = "git://github.com/libuv/libuv;branch=v1.x \ - file://CVE-2020-8252.patch" +SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https \ + file://CVE-2020-8252.patch \ + file://CVE-2024-24806-1.patch \ + file://CVE-2024-24806-2.patch" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch new file mode 100644 index 0000000000..83bdae858f --- /dev/null +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch @@ -0,0 +1,42 @@ +From dfd38cb29c0768692f886d3ab9158bd2b3132582 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 22 Nov 2022 15:20:48 +0800 +Subject: [PATCH] makefile: use conditional assignment for KBUILD_OUTPUT + +Refer [1],from make 4.4, all variables that are marked as export will +also be passed to the shell started by the shell function. use "=" will +make KBUILD_OUTPUT always empty for shell function, use "?=" to make +"export KBUILD_OUTPUT" in enrironment can work. + +[snip of 4.4 NEWS] +* WARNING: Backward-incompatibility! + Previously makefile variables marked as export were not exported to commands + started by the $(shell ...) function. Now, all exported variables are + exported to $(shell ...). +[snip] + +[1] https://git.savannah.gnu.org/cgit/make.git/tree/NEWS?h=4.4&id=ed493f6c9116cc217b99c2cfa6a95f15803235a2#n74 + +Upstream-Status: Backport [d3dd51ba611802d7cbb28631cb943cb882fa4aac] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/makefile b/makefile +index 529d8a0..3db60fa 100644 +--- a/makefile ++++ b/makefile +@@ -15,7 +15,7 @@ + # with this program; if not, write to the Free Software Foundation, Inc., + # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +-KBUILD_OUTPUT = ++KBUILD_OUTPUT ?= + + DEBUG = + CC ?= $(CROSS_COMPILE)gcc +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch new file mode 100644 index 0000000000..876088649e --- /dev/null +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch @@ -0,0 +1,26 @@ +From 8a4cad5e2f2cbb6a34bdc6e877fe499502b8c4c8 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler <marcel.ziswiler@toradex.com> +Date: Fri, 23 Dec 2016 18:12:29 +0100 +Subject: [PATCH] linuxptp: Use cross cpp in incdefs + +Use cross cpp incdefs.sh shell script since we are doing cross compiling +we need to ensure we use correct setttings from toolchain + +Upstream-Status: Inappropriate [OE-Specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + + makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/incdefs.sh ++++ b/incdefs.sh +@@ -27,7 +27,7 @@ user_flags() + printf " -D_GNU_SOURCE" + + # Get list of directories searched for header files. +- dirs=$(echo "" | ${CROSS_COMPILE}cpp -Wp,-v 2>&1 >/dev/null | grep ^" /") ++ dirs=$(${CPP} -Wp,-v -xc /dev/null 2>&1 >/dev/null | grep ^" /") + + # Look for clock_adjtime(). + for d in $dirs; do diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch deleted file mode 100644 index 02dbb23465..0000000000 --- a/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8a4cad5e2f2cbb6a34bdc6e877fe499502b8c4c8 Mon Sep 17 00:00:00 2001 -From: Marcel Ziswiler <marcel.ziswiler@toradex.com> -Date: Fri, 23 Dec 2016 18:12:29 +0100 -Subject: [PATCH] linuxptp: no incdefs using host headers - -Avoid using host headers via incdefs.sh shell script. - -Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com> ---- - - makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/makefile b/makefile -index 8cdbd15..85174b8 100644 ---- a/makefile -+++ b/makefile -@@ -33,7 +33,7 @@ OBJECTS = $(OBJ) hwstamp_ctl.o phc2sys.o phc_ctl.o pmc.o pmc_common.o \ - SRC = $(OBJECTS:.o=.c) - DEPEND = $(OBJECTS:.o=.d) - srcdir := $(dir $(lastword $(MAKEFILE_LIST))) --incdefs := $(shell $(srcdir)/incdefs.sh) -+#incdefs := $(shell $(srcdir)/incdefs.sh) - version := $(shell $(srcdir)/version.sh $(srcdir)) - VPATH = $(srcdir) - --- -2.9.3 - diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb index 930c6673dc..b848575e13 100644 --- a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb @@ -2,17 +2,18 @@ DESCRIPTION = "Precision Time Protocol (PTP) according to IEEE standard 1588 for LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v${PV}/linuxptp-${PV}.tgz \ +SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v2.0/linuxptp-${PV}.tgz \ file://build-Allow-CC-and-prefix-to-be-overriden.patch \ - file://no-incdefs-using-host-headers.patch \ + file://Use-cross-cpp-in-incdefs.patch \ file://time_t_maybe_long_long.patch \ + file://0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch \ " -SRC_URI[md5sum] = "d8bb7374943bb747db7786ac26f17f11" -SRC_URI[sha256sum] = "0a24d9401e87d4af023d201e234d91127d82c350daad93432106284aa9459c7d" +SRC_URI[sha256sum] = "6f4669db1733747427217a9e74c8b5ca25c4245947463e9cdb860ec8f5ec797a" -EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} \ - EXTRA_CFLAGS='-D_GNU_SOURCE -DHAVE_CLOCK_ADJTIME -DHAVE_POSIX_SPAWN -DHAVE_ONESTEP_SYNC ${CFLAGS}'" +EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} EXTRA_CFLAGS='${CFLAGS}'" + +export KBUILD_OUTPUT="${RECIPE_SYSROOT}" do_install () { install -d ${D}/${bindir} diff --git a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb index 3a1222e89e..d070111e95 100644 --- a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb +++ b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = " \ file://about.html;md5=e5662cbb5f8fd5c9faac526e4077898e \ " -SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http \ +SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http;branch=master;protocol=https \ file://0001-Fix-bug-of-free-with-musl.patch" SRCREV = "3148fe2d5f4b87e16266dfe559c0764e16ca0546" diff --git a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb index 2ef6b187e9..bbc311ee1e 100644 --- a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb +++ b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c" LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=6b7424f9db80cfb11fdd5c980b583f53" LICENSE = "MIT" -SRC_URI = "git://github.com/alanxz/rabbitmq-c.git" +SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https" # v0.10.0-master SRCREV = "ffe918a5fcef72038a88054dca3c56762b1953d4" diff --git a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb index 331f978f86..41fb1ec826 100644 --- a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb +++ b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "libsigc++-2.0 curl cppunit libtorrent ncurses" -SRC_URI = "git://github.com/rakshasa/rtorrent \ +SRC_URI = "git://github.com/rakshasa/rtorrent;branch=master;protocol=https \ file://don-t-run-code-while-configuring-package.patch \ " # v0.9.8 diff --git a/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb b/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb index 4a91fa4f4d..ae93ff561c 100644 --- a/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb +++ b/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb @@ -14,5 +14,3 @@ SRC_URI[sha256sum] = "cffb5147021202b064eb0a9389d0db63d1bb2dcde5a896f7785f97b1b5 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/ser2net/files/ser2net" inherit autotools pkgconfig - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb b/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb index 2b05c61a0d..4d4e841f62 100644 --- a/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb +++ b/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb @@ -12,7 +12,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e413d83db6ee8f2c8e6055719096a48e" inherit autotools pkgconfig gettext gobject-introspection vala -EXTRA_OECONF = "--enable-vala-bindings" +# Respect GI_DATA_ENABLED value when enabling vala-bindings: +# configure: error: GObject-Introspection must be enabled for Vala bindings +EXTRA_OECONF = "${@bb.utils.contains('GI_DATA_ENABLED', 'True', '--enable-vala-bindings', '--disable-vala-bindings', d)}" FILES_${PN} += "${datadir}/telepathy \ ${datadir}/dbus-1" diff --git a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb index 7284234326..7993e608db 100644 --- a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb +++ b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb @@ -10,7 +10,7 @@ inherit autotools pkgconfig gitpkgv systemd PKGV = "${GITPKGVTAG}" SRCREV = "ee85938c21043ef5f7cd4dfbc7677f385814d4d8" -SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https" +SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb index 99cfb32051..dd2b4392c2 100644 --- a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb +++ b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb @@ -9,7 +9,7 @@ SECTION = "test" S = "${WORKDIR}/git" SRCREV = "f7a8d7ef7d1a831c1bb47de21fa083536ea2f3a9" -SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git \ +SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git;branch=master;protocol=https \ file://0001-Use-toolchain-from-environment-variables.patch \ file://0002-Add-missing-include-removes-unnedded-stuff-and-add-n.patch \ file://0003-fix-path-to-usr-sbin-for-script-and-make-script-for-.patch \ diff --git a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb index 0b66970a9d..2a435897d3 100644 --- a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb +++ b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb @@ -7,7 +7,7 @@ DEPENDS = "zeromq" SRCREV = "8d5c9a88988dcbebb72939ca0939d432230ffde1" PV = "4.6.0" -SRC_URI = "git://github.com/zeromq/cppzmq.git" +SRC_URI = "git://github.com/zeromq/cppzmq.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb index 7c9a33e8c1..75d534ea66 100644 --- a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb +++ b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb @@ -27,6 +27,3 @@ PACKAGECONFIG[lz4] = ",-DCMAKE_DISABLE_FIND_PACKAGE_lz4=TRUE,lz4" PACKAGECONFIG[uuid] = ",-DCMAKE_DISABLE_FIND_PACKAGE_uuid=TRUE,util-linux" PACKAGECONFIG[curl] = ",-DCMAKE_DISABLE_FIND_PACKAGE_libcurl=TRUE,curl" PACKAGECONFIG[systemd] = ",-DCMAKE_DISABLE_FIND_PACKAGE_systemd=TRUE,systemd" - -BBCLASSEXTEND = "nativesdk" - diff --git a/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch b/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch index eb3dee4d31..31f6529225 100644 --- a/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch +++ b/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch @@ -19,8 +19,8 @@ Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -1210,7 +1210,7 @@ - target_link_libraries(libzmq ${OPTIONAL_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT}) +@@ -1440,7 +1440,7 @@ if(BUILD_SHARED) + endif() if(SODIUM_FOUND) - target_link_libraries(libzmq ${SODIUM_LIBRARIES}) @@ -28,8 +28,8 @@ Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> # On Solaris, libsodium depends on libssp if(${CMAKE_SYSTEM_NAME} MATCHES "SunOS") target_link_libraries(libzmq ssp) -@@ -1240,7 +1240,7 @@ - target_link_libraries(libzmq-static ${OPTIONAL_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT}) +@@ -1485,7 +1485,7 @@ if(BUILD_STATIC) + endif() if(SODIUM_FOUND) - target_link_libraries(libzmq-static ${SODIUM_LIBRARIES}) diff --git a/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.2.bb b/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.4.bb index 02a4c04fd7..4381f2d6d6 100644 --- a/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.2.bb +++ b/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.4.bb @@ -10,8 +10,8 @@ SRC_URI = "http://github.com/zeromq/libzmq/releases/download/v${PV}/zeromq-${PV} file://0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch \ file://run-ptest \ " -SRC_URI[md5sum] = "2047e917c2cc93505e2579bcba67a573" -SRC_URI[sha256sum] = "ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763" +SRC_URI[md5sum] = "c897d4005a3f0b8276b00b7921412379" +SRC_URI[sha256sum] = "c593001a89f5a85dd2ddf564805deb860e02471171b3f204944857336295c3e5" UPSTREAM_CHECK_URI = "https://github.com/${BPN}/libzmq/releases" diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch index 2c4ca057f2..1c2fc3813f 100644 --- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch +++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch @@ -21,7 +21,7 @@ index 009e4fd..f3f0d80 100644 if (!dbus_conn) - return; -+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; if (verbose) g_print ("New message from server: type='%d' path='%s' iface='%s'" diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb index 42cd032c22..f40b48836a 100644 --- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb +++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb @@ -6,7 +6,7 @@ SRCREV = "1226a0a1374628ff191f6d8a56000be5e53e7608" PV = "0.0.0+gitr${SRCPV}" PR = "r1.59" -SRC_URI = "git://github.com/alban/dbus-daemon-proxy \ +SRC_URI = "git://github.com/alban/dbus-daemon-proxy;branch=master;protocol=https \ file://0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/emlog/emlog.inc b/meta-oe/recipes-core/emlog/emlog.inc index 9a0f9ba928..fb3cd3f712 100644 --- a/meta-oe/recipes-core/emlog/emlog.inc +++ b/meta-oe/recipes-core/emlog/emlog.inc @@ -3,9 +3,9 @@ most recent (and only the most recent) output from a process" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http" +SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http;branch=master;protocol=https" SRCREV = "aee53e8dee862f35291242ba41b0ca88010f6c71" - +PV = "0.70+git${SRCPV}" S = "${WORKDIR}/git" EXTRA_OEMAKE += " \ diff --git a/meta-oe/recipes-core/emlog/emlog_git.bb b/meta-oe/recipes-core/emlog/emlog_git.bb index 387dd67123..a503ab82b8 100644 --- a/meta-oe/recipes-core/emlog/emlog_git.bb +++ b/meta-oe/recipes-core/emlog/emlog_git.bb @@ -24,3 +24,16 @@ do_install() { } RRECOMMENDS_${PN} += "kernel-module-emlog" + +# The NVD database doesn't have a CPE for this product, +# the name of this product is exactly the same as github.com/emlog/emlog +# but it's not related in any way. The following CVEs are from that project +# so they can be safely ignored +CVE_CHECK_WHITELIST += "\ + CVE-2019-16868 \ + CVE-2019-17073 \ + CVE-2021-44584 \ + CVE-2022-1526 \ + CVE-2022-3968 \ + CVE-2023-43291 \ +" diff --git a/meta-oe/recipes-core/glfw/glfw_3.3.bb b/meta-oe/recipes-core/glfw/glfw_3.3.bb index 0fcf716c8e..c920cbd507 100644 --- a/meta-oe/recipes-core/glfw/glfw_3.3.bb +++ b/meta-oe/recipes-core/glfw/glfw_3.3.bb @@ -12,7 +12,7 @@ inherit pkgconfig cmake features_check PV .= "+git${SRCPV}" SRCREV = "781fbbadb0bccc749058177b1385c82da9ace880" -SRC_URI = "git://github.com/glfw/glfw.git" +SRC_URI = "git://github.com/glfw/glfw.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/libnfc/libnfc_git.bb b/meta-oe/recipes-core/libnfc/libnfc_git.bb index 2851ecf9fe..65586247a2 100644 --- a/meta-oe/recipes-core/libnfc/libnfc_git.bb +++ b/meta-oe/recipes-core/libnfc/libnfc_git.bb @@ -11,7 +11,7 @@ PV = "1.7.1+git${SRCPV}" S = "${WORKDIR}/git" SRCREV = "2d4543673e9b76c02679ca8b89259659f1afd932" -SRC_URI = "git://github.com/nfc-tools/libnfc.git \ +SRC_URI = "git://github.com/nfc-tools/libnfc.git;branch=master;protocol=https \ file://0001-usbbus-Include-stdint.h-for-uintX_t.patch \ " diff --git a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb index 82f2cf8c94..fa98e1cb46 100644 --- a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb +++ b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb @@ -6,7 +6,7 @@ DEPENDS = "readline" PV = "2.3.3+git${SRCPV}" -SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http" +SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http;branch=master;protocol=https" SRCREV = "28202692d0b441000f4ddb8f347f72d1355021aa" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/ndctl/ndctl_v67.bb b/meta-oe/recipes-core/ndctl/ndctl_v67.bb index da0c6563a7..19d96414d3 100644 --- a/meta-oe/recipes-core/ndctl/ndctl_v67.bb +++ b/meta-oe/recipes-core/ndctl/ndctl_v67.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e66651809cac5da60c8b80e9e4e79e08" inherit autotools-brokensep pkgconfig bash-completion systemd SRCREV = "637bb424dc317a044c722a671355ef9df0e0d30f" -SRC_URI = "git://github.com/pmem/ndctl.git" +SRC_URI = "git://github.com/pmem/ndctl.git;branch=master;protocol=https" DEPENDS = "kmod udev json-c keyutils" diff --git a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb index dec1bea566..1d86f48aee 100644 --- a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb +++ b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb @@ -6,7 +6,7 @@ SECTION = "base" S = "${WORKDIR}/git" SRCREV = "40c5d226c7c0706f0176884e9b94b3886679c983" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git;branch=main;protocol=https" do_configure[noexec] = "1" do_compile[noexec] = "1" diff --git a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb index 7c49c8d552..de355d29d6 100644 --- a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb +++ b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb @@ -8,7 +8,7 @@ inherit pkgconfig cmake S = "${WORKDIR}/git" SRCREV = "b342ff7b7f70a4b3f2cfc53215af8fa20adc3d86" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git;branch=main;protocol=https" do_install () { install -d ${D}${bindir} diff --git a/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb b/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb index 8358e933d7..505d4efc1a 100644 --- a/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb +++ b/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb @@ -8,17 +8,21 @@ PACKAGES = ' \ packagegroup-meta-oe \ packagegroup-meta-oe-benchmarks \ packagegroup-meta-oe-connectivity \ + packagegroup-meta-oe-connectivity-python2 \ packagegroup-meta-oe-core \ packagegroup-meta-oe-crypto \ packagegroup-meta-oe-bsp \ packagegroup-meta-oe-dbs \ + packagegroup-meta-oe-dbs-python2 \ packagegroup-meta-oe-devtools \ packagegroup-meta-oe-extended \ + packagegroup-meta-oe-extended-python2 \ packagegroup-meta-oe-kernel \ packagegroup-meta-oe-multimedia \ packagegroup-meta-oe-navigation \ packagegroup-meta-oe-security \ packagegroup-meta-oe-support \ + packagegroup-meta-oe-support-python2 \ packagegroup-meta-oe-test \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-gnome", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-graphics", "", d)} \ @@ -28,17 +32,21 @@ PACKAGES = ' \ RDEPENDS_packagegroup-meta-oe = "\ packagegroup-meta-oe-benchmarks \ packagegroup-meta-oe-connectivity \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-connectivity-python2", "", d)} \ packagegroup-meta-oe-core \ packagegroup-meta-oe-crypto \ packagegroup-meta-oe-bsp \ packagegroup-meta-oe-dbs \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-dbs-python2", "", d)} \ packagegroup-meta-oe-devtools \ packagegroup-meta-oe-extended \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-extended-python2", "", d)} \ packagegroup-meta-oe-kernel \ packagegroup-meta-oe-multimedia \ packagegroup-meta-oe-navigation \ packagegroup-meta-oe-security \ packagegroup-meta-oe-support \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-support-python2", "", d)} \ packagegroup-meta-oe-test \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-gnome", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-graphics", "", d)} \ @@ -70,10 +78,13 @@ RDEPENDS_packagegroup-meta-oe-connectivity ="\ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "obex-data-server", "", d)} \ libmikmod \ obexftp openobex libnet \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "telepathy-idle", "", d)} \ " RDEPENDS_packagegroup-meta-oe-connectivity_append_libc-glibc = " wvstreams wvdial" +RDEPENDS_packagegroup-meta-oe-connectivity-python2 = "\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "telepathy-idle", "", d)} \ +" + # dracut needs dracut RDEPENDS_packagegroup-meta-oe-core ="\ dbus-daemon-proxy libdbus-c++ \ @@ -103,24 +114,26 @@ RDEPENDS_packagegroup-meta-oe-dbs ="\ leveldb libdbi mariadb mariadb-native \ postgresql psqlodbc rocksdb soci \ sqlite \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "mysql-python", "", d)} \ " +RDEPENDS_packagegroup-meta-oe-dbs-python2 ="\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "mysql-python", "", d)} \ +" + RDEPENDS_packagegroup-meta-oe-devtools ="\ android-tools android-tools-conf bootchart breakpad \ capnproto cgdb cscope ctags \ debootstrap dmalloc flatbuffers \ - giflib grpc icon-slicer iptraf-ng jq jsoncpp jsonrpc json-spirit \ + giflib grpc guider icon-slicer iptraf-ng jq jsoncpp jsonrpc json-spirit \ kconfig-frontends lemon libedit libgee libsombok3 \ libubox log4cplus lshw ltrace lua mcpp memstat mercurial \ - mpich msgpack-c nlohmann-json openocd pax-utils \ + mpich msgpack-c nlohmann-json nodejs openocd pax-utils \ ipc-run libdbd-mysql-perl libdbi-perl libio-pty-perl php \ protobuf protobuf-c \ rapidjson serialcheck sip3 tclap uftrace uw-imap valijson \ xmlrpc-c yajl yasm \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "geany geany-plugins glade tk", "", d)} \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "nodejs", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-devtools_remove_armv5 = "uftrace nodejs" RDEPENDS_packagegroup-meta-oe-devtools_remove_mipsarch = "uftrace lshw" @@ -155,8 +168,7 @@ RDEPENDS_packagegroup-meta-oe-extended ="\ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-ssh-agent-auth openwsman sblim-sfcb ", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "polkit polkit-group-rule-datetime ", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "polkit-group-rule-network ", "", d)} \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "openlmi-tools", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-extended_remove_mipsarch = "upm mraa tiptop" RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc = "upm mraa" RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc64 = "upm mraa" @@ -164,6 +176,10 @@ RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc64le = "upm mraa" RDEPENDS_packagegroup-meta-oe-extended_remove_riscv64 = "upm mraa tiptop" RDEPENDS_packagegroup-meta-oe-extended_remove_riscv32 = "upm mraa tiptop" +RDEPENDS_packagegroup-meta-oe-extended-python2 ="\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "openlmi-tools", "", d)} \ +" + RDEPENDS_packagegroup-meta-oe-gnome ="\ atkmm gnome-common gnome-doc-utils-stub gtkmm \ gtkmm3 pyxdg vte9 \ @@ -270,8 +286,11 @@ RDEPENDS_packagegroup-meta-oe-support ="\ procmail \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "udisks2 upower", "", d)} \ ${NE10} \ +" + +RDEPENDS_packagegroup-meta-oe-support-python2 ="\ ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "lio-utils", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-support_remove_arm ="numactl" RDEPENDS_packagegroup-meta-oe-support_remove_mipsarch = "gperftools" diff --git a/meta-oe/recipes-core/safec/safec_3.5.1.bb b/meta-oe/recipes-core/safec/safec_3.5.1.bb index 91d8fc65a0..29158094a1 100644 --- a/meta-oe/recipes-core/safec/safec_3.5.1.bb +++ b/meta-oe/recipes-core/safec/safec_3.5.1.bb @@ -9,7 +9,7 @@ inherit autotools pkgconfig S = "${WORKDIR}/git" # v08112019 SRCREV = "ad76c7b1dbd0403b0c9decf54164fcce271c590f" -SRC_URI = "git://github.com/rurban/safeclib.git \ +SRC_URI = "git://github.com/rurban/safeclib.git;branch=master;protocol=https \ " COMPATIBLE_HOST = '(x86_64|i.86|powerpc|powerpc64|arm|aarch64|mips).*-linux' diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch new file mode 100644 index 0000000000..89cb593e60 --- /dev/null +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch @@ -0,0 +1,96 @@ +From b073e1c2b9a8138da83300f598b9a56fc9762b4b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stanislav=20Angelovi=C4=8D?= <angelovic.s@gmail.com> +Date: Mon, 16 Nov 2020 17:05:36 +0100 +Subject: [PATCH] Try to first find googletest in the system before downloading + it (#125) + +Upstream-Status: Backport [d6fdaca] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> + +--- + tests/CMakeLists.txt | 62 ++++++++++++++++++++++++++++---------------- + 1 file changed, 40 insertions(+), 22 deletions(-) + +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 97f7c1a..7ecc327 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -2,26 +2,44 @@ + # DOWNLOAD AND BUILD OF GOOGLETEST + #------------------------------- + +-include(FetchContent) +- +-message("Fetching googletest...") +-FetchContent_Declare(googletest +- GIT_REPOSITORY https://github.com/google/googletest.git +- GIT_TAG master +- GIT_SHALLOW 1 +- UPDATE_COMMAND "") +- +-#FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually: +-FetchContent_GetProperties(googletest) +-if(NOT googletest_POPULATED) +- FetchContent_Populate(googletest) +- set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE) +- set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE) +- set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE) +- set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS}) +- set(BUILD_SHARED_LIBS OFF) +- add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR}) +- set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK}) ++set(GOOGLETEST_VERSION 1.10.0 CACHE STRING "Version of gmock to use") ++set(GOOGLETEST_GIT_REPO "https://github.com/google/googletest.git" CACHE STRING "A git repo to clone and build googletest from if gmock is not found in the system") ++ ++find_package(GTest ${GOOGLETEST_VERSION} CONFIG) ++if (NOT TARGET GTest::gmock) ++ # Try pkg-config if GTest was not found through CMake config ++ find_package(PkgConfig) ++ if (PkgConfig_FOUND) ++ pkg_check_modules(GMock IMPORTED_TARGET GLOBAL gmock>=${GOOGLETEST_VERSION}) ++ if(TARGET PkgConfig::GMock) ++ add_library(GTest::gmock ALIAS PkgConfig::GMock) ++ endif() ++ endif() ++ # GTest was not found in the system, build it on our own ++ if (NOT TARGET GTest::gmock) ++ include(FetchContent) ++ ++ message("Fetching googletest...") ++ FetchContent_Declare(googletest ++ GIT_REPOSITORY ${GOOGLETEST_GIT_REPO} ++ GIT_TAG release-${GOOGLETEST_VERSION} ++ GIT_SHALLOW 1 ++ UPDATE_COMMAND "") ++ ++ #FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually: ++ FetchContent_GetProperties(googletest) ++ if(NOT googletest_POPULATED) ++ FetchContent_Populate(googletest) ++ set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE) ++ set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE) ++ set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE) ++ set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS}) ++ set(BUILD_SHARED_LIBS OFF) ++ add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR}) ++ set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK}) ++ add_library(GTest::gmock ALIAS gmock) ++ endif() ++ endif() + endif() + + #------------------------------- +@@ -87,11 +105,11 @@ include_directories(${CMAKE_CURRENT_SOURCE_DIR}) + + add_executable(sdbus-c++-unit-tests ${UNITTESTS_SRCS}) + target_compile_definitions(sdbus-c++-unit-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION}) +-target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib gmock gmock_main) ++target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib GTest::gmock) + + add_executable(sdbus-c++-integration-tests ${INTEGRATIONTESTS_SRCS}) + target_compile_definitions(sdbus-c++-integration-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION}) +-target_link_libraries(sdbus-c++-integration-tests sdbus-c++ gmock gmock_main) ++target_link_libraries(sdbus-c++-integration-tests sdbus-c++ GTest::gmock) + + # Manual performance and stress tests + option(ENABLE_PERF_TESTS "Build and install manual performance tests (default OFF)" OFF) diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb index c8e81a4123..f0e928d0da 100644 --- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb @@ -12,7 +12,7 @@ DEPENDS += "gperf-native gettext-native util-linux libcap" SRCREV = "efb536d0cbe2e58f80e501d19999928c75e08f6a" SRCBRANCH = "v243-stable" -SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}" +SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}" SRC_URI += "file://static-libsystemd-pkgconfig.patch" diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb index c4d63fd272..a94fb8deff 100644 --- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb @@ -12,13 +12,16 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'with-exte ${@bb.utils.contains('PTEST_ENABLED', '1', 'with-tests', '', d)}" PACKAGECONFIG[with-builtin-libsystemd] = ",,sdbus-c++-libsystemd,libcap" PACKAGECONFIG[with-external-libsystemd] = ",,systemd,libsystemd" -PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF" +PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF,googletest gmock" DEPENDS += "expat" SRCREV = "3a4f343fb924650e7639660efa5f143961162044" -SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master" -SRC_URI += "file://run-ptest" + +SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master \ + file://0001-Try-to-first-find-googletest-in-the-system-before-do.patch \ + file://run-ptest \ +" EXTRA_OECMAKE = "-DBUILD_CODE_GEN=ON \ -DBUILD_DOC=ON \ diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb index b9668eb099..d303f27ebb 100644 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb @@ -21,8 +21,8 @@ RDEPENDS_${PN} = " \ " SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" -SRC_URI[md5sum] = "6e4ffb6d35a73f7539a5d0c1354654cd" -SRC_URI[sha256sum] = "a89e13dff0798fd0280e801d5f0cc8cfdb2aa5b1929bec1b7322e13d3eca95fb" +SRC_URI[md5sum] = "9c5952cebb836ee783b0b76c5380a964" +SRC_URI[sha256sum] = "61835132a5986217af17b8943013aa3fe6d47bdc1a07386343526765e2ce27a9" inherit autotools gettext pkgconfig @@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't # recognized. diff --git a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb index 4e217a351d..ad5355ea64 100644 --- a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb +++ b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" SRCREV = "5649050d201856bf06c8738b5d2aa1710c86ac2f" PV = "1.1.5" SRC_URI = " \ - git://github.com/smuellerDD/libkcapi.git \ + git://github.com/smuellerDD/libkcapi.git;branch=master;protocol=https \ file://0001-kcapi-kdf-Move-code-to-fix.patch \ file://0001-Use-__builtin_bswap32-on-Clang-if-supported.patch \ " diff --git a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb index 9b6e7ccbe2..321aa4fdc1 100644 --- a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb +++ b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb @@ -15,7 +15,7 @@ LIC_FILES_CHKSUM = " \ file://COPYING.GPL;md5=8a71d0475d08eee76d8b6d0c6dbec543 \ file://COPYING.BSD;md5=66b7a37c3c10483c1fd86007726104d7 \ " -SRC_URI = "git://github.com/OpenSC/${BPN}.git" +SRC_URI = "git://github.com/OpenSC/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" # v1.26 diff --git a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb index b597ef1ea8..48f2fd8ac1 100644 --- a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb +++ b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/google/leveldb" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=92d1b128950b11ba8495b64938fc164d" -SRC_URI = "git://github.com/google/${BPN}.git \ +SRC_URI = "git://github.com/google/${BPN}.git;branch=main;protocol=https \ file://run-ptest" SRCREV = "78b39d68c15ba020c0d60a3906fb66dbf1697595" diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.17.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.28.bb index e1a038dfa3..e1a038dfa3 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.17.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.28.bb diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 9f7203c40d..e4eb48492a 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -15,12 +15,11 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz file://support-files-CMakeLists.txt-fix-do_populate_sysroot.patch \ file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://0001-disable-ucontext-on-musl.patch \ - file://c11_atomics.patch \ - file://clang_version_header_conflict.patch \ file://fix-arm-atomic.patch \ + file://CVE-2022-47015.patch \ " -SRC_URI[md5sum] = "e8193b9cd008b6d7f177f5a5c44c7a9f" -SRC_URI[sha256sum] = "a7b104e264311cd46524ae546ff0c5107978373e4a01cf7fd8a241454548d16e" + +SRC_URI[sha256sum] = "003fd23f3c6ee516176e1b62b0b43cdb6cdd3dcd4e30f855c1c5ab2baaf5a86c" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch new file mode 100644 index 0000000000..0ddcdc028c --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch @@ -0,0 +1,269 @@ +From be0a46b3d52b58956fd0d47d040b9f4514406954 Mon Sep 17 00:00:00 2001 +From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> +Date: Tue, 27 Sep 2022 15:22:57 +0900 +Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in + spider_db_mbase::print_warnings() + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954] +CVE: CVE-2022-47015 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + .../spider/bugfix/r/mdev_29644.result | 44 ++++++++++ + .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 + + .../spider/bugfix/t/mdev_29644.test | 58 ++++++++++++ + storage/spider/spd_db_mysql.cc | 88 ++++++++----------- + storage/spider/spd_db_mysql.h | 4 +- + 5 files changed, 141 insertions(+), 56 deletions(-) + create mode 100644 spider/mysql-test/spider/bugfix/r/mdev_29644.result + create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.cnf + create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.test + +diff --git a/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/spider/mysql-test/spider/bugfix/r/mdev_29644.result +new file mode 100644 +index 00000000..eb725602 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/r/mdev_29644.result +@@ -0,0 +1,44 @@ ++# ++# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++# ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 ++connection child2_1; ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++CREATE TABLE tbl_a ( ++a CHAR(5) ++) ENGINE=InnoDB DEFAULT CHARSET=utf8; ++set @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++connection master_1; ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++CREATE TABLE tbl_a ( ++a CHAR(255) ++) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; ++SET @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++SET @orig_log_result_errors=@@global.spider_log_result_errors; ++SET GLOBAL spider_log_result_errors=4; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++connection master_1; ++SET GLOBAL spider_log_result_errors=@orig_log_result_errors; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_local; ++connection child2_1; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_remote; ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 +diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +new file mode 100644 +index 00000000..05dfd8a0 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +@@ -0,0 +1,3 @@ ++!include include/default_mysqld.cnf ++!include ../my_1_1.cnf ++!include ../my_2_1.cnf +diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/spider/mysql-test/spider/bugfix/t/mdev_29644.test +new file mode 100644 +index 00000000..4ebdf317 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.test +@@ -0,0 +1,58 @@ ++--echo # ++--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++--echo # ++ ++# The test case below does not cause the potential null pointer dereference. ++# It is just for checking spider_db_mbase::fetch_and_print_warnings() works. ++ ++--disable_query_log ++--disable_result_log ++--source ../../t/test_init.inc ++--enable_result_log ++--enable_query_log ++ ++--connection child2_1 ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++eval CREATE TABLE tbl_a ( ++ a CHAR(5) ++) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; ++set @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++ ++--connection master_1 ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++eval CREATE TABLE tbl_a ( ++ a CHAR(255) ++) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; ++ ++SET @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++ ++let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err; ++let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should not find ++ ++SET @orig_log_result_errors=@@global.spider_log_result_errors; ++SET GLOBAL spider_log_result_errors=4; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should find ++ ++--connection master_1 ++SET GLOBAL spider_log_result_errors=@orig_log_result_errors; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_local; ++ ++--connection child2_1 ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_remote; ++ ++--disable_query_log ++--disable_result_log ++--source ../t/test_deinit.inc ++--enable_query_log ++--enable_result_log +diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc +index 85f910aa..7d6bd599 100644 +--- a/storage/spider/spd_db_mysql.cc ++++ b/storage/spider/spd_db_mysql.cc +@@ -2197,7 +2197,7 @@ int spider_db_mbase::exec_query( + db_conn->affected_rows, db_conn->insert_id, + db_conn->server_status, db_conn->warning_count); + if (spider_param_log_result_errors() >= 3) +- print_warnings(l_time); ++ fetch_and_print_warnings(l_time); + } else if (log_result_errors >= 4) + { + time_t cur_time = (time_t) time((time_t*) 0); +@@ -2279,61 +2279,43 @@ bool spider_db_mbase::is_xa_nota_error( + DBUG_RETURN(xa_nota); + } + +-void spider_db_mbase::print_warnings( +- struct tm *l_time +-) { +- DBUG_ENTER("spider_db_mbase::print_warnings"); +- DBUG_PRINT("info",("spider this=%p", this)); +- if (db_conn->status == MYSQL_STATUS_READY) ++void spider_db_mbase::fetch_and_print_warnings(struct tm *l_time) ++{ ++ DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings"); ++ ++ if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY || ++ db_conn->server_status & SERVER_MORE_RESULTS_EXISTS) ++ DBUG_VOID_RETURN; ++ ++ if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, ++ SPIDER_SQL_SHOW_WARNINGS_LEN)) ++ DBUG_VOID_RETURN; ++ ++ MYSQL_RES *res= mysql_store_result(db_conn); ++ if (!res) ++ DBUG_VOID_RETURN; ++ ++ uint num_fields= mysql_num_fields(res); ++ if (num_fields != 3) + { +-#if MYSQL_VERSION_ID < 50500 +- if (!(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#else +- if (!(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#endif +- { +- if ( +- spider_param_dry_access() || +- !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, +- SPIDER_SQL_SHOW_WARNINGS_LEN) +- ) { +- MYSQL_RES *res = NULL; +- MYSQL_ROW row = NULL; +- uint num_fields; +- if ( +- spider_param_dry_access() || +- !(res = mysql_store_result(db_conn)) || +- !(row = mysql_fetch_row(res)) +- ) { +- if (mysql_errno(db_conn)) +- { +- if (res) +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- /* no record is ok */ +- } +- num_fields = mysql_num_fields(res); +- if (num_fields != 3) +- { +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- while (row) +- { +- fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] " +- "from [%s] %ld to %ld: %s %s %s\n", ++ mysql_free_result(res); ++ DBUG_VOID_RETURN; ++ } ++ ++ MYSQL_ROW row= mysql_fetch_row(res); ++ while (row) ++ { ++ fprintf(stderr, ++ "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld " ++ "to %ld: %s %s %s\n", + l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday, +- l_time->tm_hour, l_time->tm_min, l_time->tm_sec, +- conn->tgt_host, (ulong) db_conn->thread_id, +- (ulong) current_thd->thread_id, row[0], row[1], row[2]); +- row = mysql_fetch_row(res); +- } +- if (res) +- mysql_free_result(res); +- } +- } ++ l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host, ++ (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0], ++ row[1], row[2]); ++ row= mysql_fetch_row(res); + } ++ mysql_free_result(res); ++ + DBUG_VOID_RETURN; + } + +diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h +index 626bb4d5..82c7c0ec 100644 +--- a/storage/spider/spd_db_mysql.h ++++ b/storage/spider/spd_db_mysql.h +@@ -439,9 +439,7 @@ class spider_db_mbase: public spider_db_conn + bool is_xa_nota_error( + int error_num + ); +- void print_warnings( +- struct tm *l_time +- ); ++ void fetch_and_print_warnings(struct tm *l_time); + spider_db_result *store_result( + spider_db_result_buffer **spider_res_buf, + st_spider_db_request_key *request_key, +-- +2.25.1 diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch deleted file mode 100644 index b1ce963602..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch +++ /dev/null @@ -1,73 +0,0 @@ -Author: VicenÈ›iu Ciorbaru <vicentiu@mariadb.org> -Date: Fri Dec 21 19:14:04 2018 +0200 - - Link with libatomic to enable C11 atomics support - - Some architectures (mips) require libatomic to support proper - atomic operations. Check first if support is available without - linking, otherwise use the library. - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Index: mariadb-10.4.17/configure.cmake -=================================================================== ---- mariadb-10.4.17.orig/configure.cmake -+++ mariadb-10.4.17/configure.cmake -@@ -863,7 +863,25 @@ int main() - long long int *ptr= &var; - return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); - }" --HAVE_GCC_C11_ATOMICS) -+HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+IF (HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ELSE() -+ SET(OLD_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES}) -+ LIST(APPEND CMAKE_REQUIRED_LIBRARIES "atomic") -+ CHECK_CXX_SOURCE_COMPILES(" -+ int main() -+ { -+ long long int var= 1; -+ long long int *ptr= &var; -+ return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); -+ }" -+ HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ IF(HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ ENDIF() -+ SET(CMAKE_REQUIRED_LIBRARIES ${OLD_CMAKE_REQUIRED_LIBRARIES}) -+ENDIF() - - IF(WITH_VALGRIND) - SET(HAVE_valgrind 1) -Index: mariadb-10.4.17/mysys/CMakeLists.txt -=================================================================== ---- mariadb-10.4.17.orig/mysys/CMakeLists.txt -+++ mariadb-10.4.17/mysys/CMakeLists.txt -@@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings - ${LIBNSL} ${LIBM} ${LIBRT} ${CMAKE_DL_LIBS} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY}) - DTRACE_INSTRUMENT(mysys) - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(mysys atomic) -+ENDIF() -+ - IF(HAVE_BFD_H) - TARGET_LINK_LIBRARIES(mysys bfd) - ENDIF(HAVE_BFD_H) -Index: mariadb-10.4.17/sql/CMakeLists.txt -=================================================================== ---- mariadb-10.4.17.orig/sql/CMakeLists.txt -+++ mariadb-10.4.17/sql/CMakeLists.txt -@@ -196,6 +196,10 @@ ELSE() - SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL}) - ENDIF() - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(sql atomic) -+ENDIF() -+ - - IF(MSVC AND NOT WITHOUT_DYNAMIC_PLUGINS) - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch b/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch deleted file mode 100644 index c77a869441..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch +++ /dev/null @@ -1,32 +0,0 @@ -libc++ also has a file called version and this file and how cflags are specified -it ends up including this file and resulting in compile errors - -fixes errors like -storage/mroonga/version:1:1: error: expected unqualified-id -7.07 -^ - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - ---- a/storage/mroonga/CMakeLists.txt -+++ b/storage/mroonga/CMakeLists.txt -@@ -80,7 +80,7 @@ else() - set(MRN_SOURCE_DIR ${CMAKE_SOURCE_DIR}) - endif() - --file(READ ${MRN_SOURCE_DIR}/version MRN_VERSION) -+file(READ ${MRN_SOURCE_DIR}/ver MRN_VERSION) - file(READ ${MRN_SOURCE_DIR}/version_major MRN_VERSION_MAJOR) - file(READ ${MRN_SOURCE_DIR}/version_minor MRN_VERSION_MINOR) - file(READ ${MRN_SOURCE_DIR}/version_micro MRN_VERSION_MICRO) ---- /dev/null -+++ b/storage/mroonga/ver -@@ -0,0 +1 @@ -+7.07 -\ No newline at end of file ---- a/storage/mroonga/version -+++ /dev/null -@@ -1 +0,0 @@ --7.07 -\ No newline at end of file diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.17.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.28.bb index c0b53379d9..c0b53379d9 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb_10.4.17.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb_10.4.28.bb diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch index 865ad3287b..e5fb85170b 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch @@ -9,11 +9,11 @@ extending the existing aarch64 macro works. src/include/storage/s_lock.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h -index 3fe29ce..7cd578f 100644 ---- a/src/include/storage/s_lock.h -+++ b/src/include/storage/s_lock.h -@@ -316,11 +316,12 @@ tas(volatile slock_t *lock) +Index: postgresql-12.16/src/include/storage/s_lock.h +=================================================================== +--- postgresql-12.16.orig/src/include/storage/s_lock.h ++++ postgresql-12.16/src/include/storage/s_lock.h +@@ -317,11 +317,12 @@ tas(volatile slock_t *lock) /* * On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available. @@ -27,7 +27,7 @@ index 3fe29ce..7cd578f 100644 #ifdef HAVE_GCC__SYNC_INT32_TAS #define HAS_TEST_AND_SET -@@ -337,7 +338,7 @@ tas(volatile slock_t *lock) +@@ -338,7 +339,7 @@ tas(volatile slock_t *lock) #define S_UNLOCK(lock) __sync_lock_release(lock) #endif /* HAVE_GCC__SYNC_INT32_TAS */ @@ -36,6 +36,3 @@ index 3fe29ce..7cd578f 100644 /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ --- -2.9.3 - diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch index 32b7f42845..70c813adf5 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch @@ -19,11 +19,11 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> src/common/Makefile | 4 ---- 1 file changed, 4 deletions(-) -diff --git a/src/common/Makefile b/src/common/Makefile -index 1fc2c66..5e6c457 100644 ---- a/src/common/Makefile -+++ b/src/common/Makefile -@@ -27,10 +27,6 @@ include $(top_builddir)/src/Makefile.global +Index: postgresql-12.16/src/common/Makefile +=================================================================== +--- postgresql-12.16.orig/src/common/Makefile ++++ postgresql-12.16/src/common/Makefile +@@ -31,10 +31,6 @@ include $(top_builddir)/src/Makefile.glo # don't include subdirectory-path-dependent -I and -L switches STD_CPPFLAGS := $(filter-out -I$(top_srcdir)/src/include -I$(top_builddir)/src/include,$(CPPFLAGS)) STD_LDFLAGS := $(filter-out -L$(top_builddir)/src/common -L$(top_builddir)/src/port,$(LDFLAGS)) @@ -34,6 +34,3 @@ index 1fc2c66..5e6c457 100644 override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\"" override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\"" override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\"" --- -2.7.4 - diff --git a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch index 22b62d9ded..eb6226b179 100644 --- a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch +++ b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch @@ -19,11 +19,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/configure.in b/configure.in -index b98b9bb..8584677 100644 ---- a/configure.in -+++ b/configure.in -@@ -2211,7 +2211,7 @@ Use --without-tcl to disable building PL/Tcl.]) +Index: postgresql-12.16/configure.in +=================================================================== +--- postgresql-12.16.orig/configure.in ++++ postgresql-12.16/configure.in +@@ -2357,7 +2357,7 @@ Use --without-tcl to disable building PL fi # check for <perl.h> @@ -32,6 +32,3 @@ index b98b9bb..8584677 100644 ac_save_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $perl_includespec" AC_CHECK_HEADER(perl.h, [], [AC_MSG_ERROR([header file <perl.h> is required for Perl])], --- -2.7.4 - diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.5.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.18.bb index 047509510f..44074a233c 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_12.5.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.18.bb @@ -1,6 +1,6 @@ require postgresql.inc -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fc4ce21960f0c561460d750bc270d11f" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89afbb2d7716371015101c2b2cb4297a" SRC_URI += "\ file://not-check-libperl.patch \ @@ -8,4 +8,4 @@ SRC_URI += "\ file://0001-Improve-reproducibility.patch \ " -SRC_URI[sha256sum] = "bd0d25341d9578b5473c9506300022de26370879581f5fddd243a886ce79ff95" +SRC_URI[sha256sum] = "4f9919725d941ce9868e07fe1ed1d3a86748599b483386547583928b74c3918a" diff --git a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb index b9038df81d..f971319915 100644 --- a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb +++ b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb @@ -10,7 +10,7 @@ SRCREV = "551a110918493a19d11243f53408b97485de1411" SRCBRANCH = "6.6.fb" PV = "6.6.4" -SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH} \ +SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH};protocol=https \ file://0001-db-write_thread.cc-Initialize-state.patch \ file://0001-cmake-Add-check-for-atomic-support.patch \ " diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb index e874e4a5ea..87f9c23ebf 100644 --- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb +++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=df52c6edb7adc22e533b2bacc3bd3915" PV = "20190808+git${SRCPV}" SRCREV = "aa844899c937bde5d2b24f276b59997e5b668bde" BRANCH = "lts_2019_08_08" -SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH} \ +SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \ file://0001-Remove-maes-option-from-cross-compilation.patch \ file://0002-Add-forgotten-ABSL_HAVE_VDSO_SUPPORT-conditional.patch \ file://0003-Add-fPIC-option.patch \ diff --git a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb index fb6125e2a5..ef440471bf 100644 --- a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb +++ b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb @@ -19,6 +19,7 @@ SRCREV_libhardware = "be55eb1f4d840c82ffaf7c47460df17ff5bc4d9b" SRCREV_libselinux = "07e9e1339ad1ba608acfba9dce2d0f474b252feb" SRCREV_build = "16e987def3d7d8f7d30805eb95cef69e52a87dbc" +SRCREV_FORMAT = "core_extras_libhardware_libselinux_build" SRC_URI = " \ git://${ANDROID_MIRROR}/platform/system/core;name=core;protocol=https;nobranch=1;destsuffix=git/system/core \ git://${ANDROID_MIRROR}/platform/system/extras;name=extras;protocol=https;nobranch=1;destsuffix=git/system/extras \ diff --git a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb index 2b75eaac9d..79754050d0 100644 --- a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb +++ b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb @@ -8,7 +8,7 @@ PV = "1.17" PR = "r1" PE = "1" -SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https \ +SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https;branch=master \ file://0001-svg-add-rudimentary-support-for-ARM-cpuinfo.patch \ file://0002-svg-open-etc-os-release-and-use-PRETTY_NAME-for-the-.patch \ " diff --git a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb index daf262ed66..1e474225a2 100644 --- a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb +++ b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb @@ -26,11 +26,11 @@ SRCREV_protobuf = "cb6dd4ef5f82e41e06179dcd57d3b1d9246ad6ac" SRCREV_lss = "8048ece6c16c91acfe0d36d1d3cc0890ab6e945c" SRCREV_gyp = "324dd166b7c0b39d513026fa52d6280ac6d56770" -SRC_URI = "git://github.com/google/breakpad;name=breakpad \ - git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest \ - git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf \ - git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss \ - git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp \ +SRC_URI = "git://github.com/google/breakpad;name=breakpad;branch=main;protocol=https \ + git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest;branch=main;protocol=https \ + git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf;branch=main;protocol=https \ + git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss;branch=main \ + git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp;branch=master \ file://0001-include-sys-reg.h-to-get-__WORDSIZE-on-musl-libc.patch \ file://0003-Fix-conflict-between-musl-libc-dirent.h-and-lss.patch \ file://0001-Turn-off-sign-compare-for-musl-libc.patch \ diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb index c6bab5ec2b..fa1751e566 100644 --- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb +++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb @@ -5,7 +5,9 @@ SECTION = "console/tools" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9" -SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV}" +SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \ + file://CVE-2022-46149.patch \ +" SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19" S = "${WORKDIR}/git/c++" diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch new file mode 100644 index 0000000000..b6b1fa6514 --- /dev/null +++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch @@ -0,0 +1,49 @@ +From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001 +From: Kenton Varda <kenton@cloudflare.com> +Date: Wed, 23 Nov 2022 12:02:29 -0600 +Subject: [PATCH] Apply data offset for list-of-pointers at access time rather + than ListReader creation time. + +Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected. + +CVE: CVE-2022-46149 +Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + c++/src/capnp/layout.c++ | 4 ---- + c++/src/capnp/layout.h | 6 +++++- + 2 files changed, 5 insertions(+), 5 deletions(-) + +Index: c++/src/capnp/layout.c++ +=================================================================== +--- c++.orig/src/capnp/layout.c++ ++++ c++/src/capnp/layout.c++ +@@ -2322,10 +2322,6 @@ struct WireHelpers { + break; + + case ElementSize::POINTER: +- // We expected a list of pointers but got a list of structs. Assuming the first field +- // in the struct is the pointer we were looking for, we want to munge the pointer to +- // point at the first element's pointer section. +- ptr += tag->structRef.dataSize.get(); + KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS, + "Expected a pointer list, but got a list of data-only structs.") { + goto useDefault; +Index: c++/src/capnp/layout.h +=================================================================== +--- c++.orig/src/capnp/layout.h ++++ c++/src/capnp/layout.h +@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V + } + + inline PointerReader ListReader::getPointerElement(ElementCount index) const { ++ // If the list elements have data sections we need to skip those. Note that for pointers to be ++ // present at all (which already must be true if we get here), then `structDataSize` must be a ++ // whole number of words, so we don't have to worry about unaligned reads here. ++ auto offset = structDataSize / BITS_PER_BYTE; + return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>( +- ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); ++ ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); + } + + // ------------------------------------------------------------------- diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb index e6174821ff..7af05acf9a 100644 --- a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb +++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb @@ -5,7 +5,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0" -SRC_URI = "git://github.com/DaveGamble/cJSON.git" +SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https" SRCREV = "39853e5148dad8dc5d32ea2b00943cf4a0c6f120" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb index 8c6cf7db20..996314a758 100644 --- a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb +++ b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb @@ -10,7 +10,7 @@ SECTION = "base" PV = "0.5.1+git${SRCPV}" SRCREV = "f97d3da5c375ac2fc5a9173cdd36cb828915a2e1" LIC_FILES_CHKSUM = "file://LICENSE;md5=a0b24c1a8f9ad516a297d055b0294231" -SRC_URI = "git://github.com/concurrencykit/ck.git \ +SRC_URI = "git://github.com/concurrencykit/ck.git;branch=master;protocol=https \ file://cross.patch \ " diff --git a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb index 406494ebbc..d1b7134b83 100644 --- a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb +++ b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb @@ -3,11 +3,11 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master " +SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master;protocol=https" SRCREV = "c5416adeb210154dc4ccc4c3e1c5297d83ebd41e" PV = "1.1" -SRC_URI_append_class-target = "file://oe-remote.repo.sample" +SRC_URI_append_class-target = " file://oe-remote.repo.sample" inherit distutils3-base diff --git a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb index 7b8d47d8df..c4f3594f36 100644 --- a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb +++ b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" SRCREV = "6df40a2471737b27271bdd9b900ab5f3aec746c7" -SRC_URI = "git://github.com/google/flatbuffers.git" +SRC_URI = "git://github.com/google/flatbuffers.git;branch=master;protocol=https" # affects only flatbuffers rust crate CVE_CHECK_WHITELIST += "CVE-2020-35864" @@ -24,12 +24,17 @@ BUILD_CXXFLAGS += "-std=c++11 -fPIC" # BUILD_TYPE=Release is required, otherwise flatc is not installed EXTRA_OECMAKE += "\ -DCMAKE_BUILD_TYPE=Release \ - -DFLATBUFFERS_BUILD_TESTS=OFF \ + -DFLATBUFFERS_BUILD_TESTS=OFF \ -DFLATBUFFERS_BUILD_SHAREDLIB=ON \ " inherit cmake +rm_flatc_cmaketarget_for_target() { + rm -f "${SYSROOT_DESTDIR}/${libdir}/cmake/flatbuffers/FlatcTargets.cmake" +} +SYSROOT_PREPROCESS_FUNCS:class-target += "rm_flatc_cmaketarget_for_target" + S = "${WORKDIR}/git" FILES_${PN}-compiler = "${bindir}" diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb index 752562eb33..8a055412f2 100644 --- a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb +++ b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb @@ -15,9 +15,10 @@ SRCREV_grpc = "2de2e8dd8921e1f7d043e01faf7fe8a291fbb072" SRCREV_upb = "9effcbcb27f0a665f9f345030188c0b291e32482" BRANCH = "v1.24.x" SRC_URI = "git://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BRANCH} \ - git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb \ + git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb;branch=main;protocol=https \ file://0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch \ " +SRCREV_FORMAT = "grpc_upb" SRC_URI_append_class-target = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch \ " SRC_URI_append_class-nativesdk = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch" @@ -62,6 +63,6 @@ do_configure_prepend_toolchain-clang_x86() { BBCLASSEXTEND = "native nativesdk" -SYSROOT_DIRS_BLACKLIST_append_class-target = "${baselib}/cmake/grpc" +SYSROOT_DIRS_BLACKLIST_append_class-target = " ${baselib}/cmake/grpc" FILES_${PN}-dev += "${bindir}" diff --git a/meta-oe/recipes-devtools/guider/guider_3.9.6.bb b/meta-oe/recipes-devtools/guider/guider_3.9.6.bb deleted file mode 100644 index f059002161..0000000000 --- a/meta-oe/recipes-devtools/guider/guider_3.9.6.bb +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "runtime performance analyzer" -HOMEPAGE = "https://github.com/iipeace/guider" -BUGTRACKER = "https://github.com/iipeace/guider/issues" -AUTHOR = "Peace Lee <ipeace5@gmail.com>" - -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" - -PV = "3.9.6+git${SRCPV}" -PR = "r0" - -SRC_URI = "git://github.com/iipeace/${BPN}" -#SRCREV = "${AUTOREV}" -SRCREV = "fef25c41efb9bde0614ea477d0b90bd9565ae0b4" - -S = "${WORKDIR}/git" -R = "${RECIPE_SYSROOT}" - -inherit ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "distutils", "", d)} - -GUIDER_OBJ = "guider.pyc" -GUIDER_SCRIPT = "guider" - -do_install() { - python ${S}/setup.py install - - install -d ${D}${bindir} - install -v -m 0755 ${STAGING_BINDIR_NATIVE}/${GUIDER_SCRIPT} ${D}${bindir}/${GUIDER_SCRIPT} - - install -d ${D}${datadir}/${BPN} - install -v -m 0755 ${STAGING_LIBDIR_NATIVE}/python${PYTHON_BASEVERSION}/site-packages/${BPN}/${GUIDER_OBJ} ${D}${datadir}/${BPN}/${GUIDER_OBJ} -} - -RDEPENDS_${PN} = "python-ctypes python-shell \ - python-json python-subprocess" -python() { - if 'meta-python2' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-python2 to be present.') -} diff --git a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb new file mode 100644 index 0000000000..cc81443d5d --- /dev/null +++ b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb @@ -0,0 +1,19 @@ +SUMMARY = "runtime performance analyzer" +HOMEPAGE = "https://github.com/iipeace/guider" +BUGTRACKER = "https://github.com/iipeace/guider/issues" +AUTHOR = "Peace Lee <ipeace5@gmail.com>" + +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" + +PV = "3.9.7+git${SRCPV}" + +SRC_URI = "git://github.com/iipeace/${BPN};branch=master;protocol=https" +SRCREV = "459b5189a46023fc98e19888b196bdc2674022fd" + +S = "${WORKDIR}/git" + +inherit setuptools3 + +RDEPENDS_${PN} = "python3 python3-core \ + python3-ctypes python3-shell python3-json" diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch b/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch new file mode 100644 index 0000000000..784f175eea --- /dev/null +++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch @@ -0,0 +1,52 @@ +From 2d5a94aeeab01f0448b5a0bb8d4a9a23a5b790d5 Mon Sep 17 00:00:00 2001 +From: Andrew Childs <lorne@cons.org.nz> +Date: Sat, 28 Dec 2019 16:04:24 +0900 +Subject: [PATCH] json_writer: fix inverted sense in isAnyCharRequiredQuoting + (#1120) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This bug is only affects platforms where `char` is unsigned. + +When char is a signed type, values >= 0x80 are also considered < 0, +and hence require escaping due to the < ' ' condition. + +When char is an unsigned type, values >= 0x80 match none of the +conditions and are considered safe to emit without escaping. + +This shows up as a test failure: + +* Detail of EscapeSequenceTest/writeEscapeSequence test failure: +/build/source/src/test_lib_json/main.cpp(3370): expected == result + Expected: '["\"","\\","\b","\f","\n","\r","\t","\u0278","\ud852\udf62"] + ' + Actual : '["\"","\\","\b","\f","\n","\r","\t","ɸ","ð¤¢"] + ' +Upstream-Status: Backport [https://github.com/open-source-parsers/jsoncpp/commit/f11611c8785082ead760494cba06196f14a06dcb] + +Signed-off-by: Viktor Rosendahl <Viktor.Rosendahl@bmw.de> + +--- + src/lib_json/json_writer.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/lib_json/json_writer.cpp b/src/lib_json/json_writer.cpp +index 519ce23..b68a638 100644 +--- a/src/lib_json/json_writer.cpp ++++ b/src/lib_json/json_writer.cpp +@@ -178,8 +178,9 @@ static bool isAnyCharRequiredQuoting(char const* s, size_t n) { + + char const* const end = s + n; + for (char const* cur = s; cur < end; ++cur) { +- if (*cur == '\\' || *cur == '\"' || *cur < ' ' || +- static_cast<unsigned char>(*cur) < 0x80) ++ if (*cur == '\\' || *cur == '\"' || ++ static_cast<unsigned char>(*cur) < ' ' || ++ static_cast<unsigned char>(*cur) >= 0x80) + return true; + } + return false; +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb index 8a5db3da3c..ae4b4c9840 100644 --- a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb +++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb @@ -14,7 +14,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b" SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f" -SRC_URI = "git://github.com/open-source-parsers/jsoncpp" +SRC_URI = "\ + git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https \ + file://0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch \ + " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb index ca9675ed64..e9672ea4dd 100644 --- a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb +++ b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb @@ -9,7 +9,7 @@ SECTION = "libs" DEPENDS = "curl jsoncpp libmicrohttpd hiredis" -SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp" +SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp;branch=master;protocol=https" SRCREV = "c696f6932113b81cd20cd4a34fdb1808e773f23e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb index 62d4df5e09..72f06ae44f 100644 --- a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb +++ b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=930f8aa500a47c7dab0f8efb5a1c9a40" DEPENDS = "libgfortran" SRCREV = "6acc99d5f39130be7cec00fb835606042101a970" -SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https" +SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https;branch=master" S = "${WORKDIR}/git" EXTRA_OECMAKE = " -DBUILD_SHARED_LIBS=ON " diff --git a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb index b83e86a488..2dc3776e81 100644 --- a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb +++ b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb @@ -7,7 +7,7 @@ Cluster segmentation described in Annex #29 (UAX #29)." LICENSE = "Artistic-1.0 | GPLv1+" LIC_FILES_CHKSUM = "file://COPYING;md5=5b122a36d0f6dc55279a0ebc69f3c60b" -SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https \ +SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https;branch=master \ file://0001-configure.ac-fix-cross-compiling-issue.patch \ " diff --git a/meta-oe/recipes-devtools/libubox/libubox_git.bb b/meta-oe/recipes-devtools/libubox/libubox_git.bb index 7dbefa1152..18f26b009b 100644 --- a/meta-oe/recipes-devtools/libubox/libubox_git.bb +++ b/meta-oe/recipes-devtools/libubox/libubox_git.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "\ " SRC_URI = "\ - git://git.openwrt.org/project/libubox.git \ + git://git.openwrt.org/project/libubox.git;branch=master \ file://0001-version-libraries.patch \ file://fix-libdir.patch \ file://0001-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch \ diff --git a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb index 5710943d74..339841acf3 100644 --- a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb +++ b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb @@ -14,7 +14,7 @@ PV = "7.91+git${SRCPV}" SRCREV = "c22d359433b333937ee3d803450dc41998115685" DEPENDS = "elfutils" -SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http \ +SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http;protocol=https \ file://configure-allow-to-disable-selinux-support.patch \ file://0001-replace-readdir_r-with-readdir.patch \ file://0001-Use-correct-enum-type.patch \ diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch new file mode 100644 index 0000000000..606c9ea98c --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch @@ -0,0 +1,73 @@ +From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001 +From: Steve Sakoman <steve@sakoman.com> +Date: Mon, 18 Apr 2022 09:04:08 -1000 +Subject: [PATCH] lua: fix CVE-2022-28805 + +singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup +call, leading to a heap-based buffer over-read that might affect a system that +compiles untrusted Lua code. + +https://nvd.nist.gov/vuln/detail/CVE-2022-28805 + +(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) +Signed-off-by: Omkar Patil <omkar.patil@kpit.com> +--- + .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++ + meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 + + 2 files changed, 29 insertions(+) + create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch + +diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +new file mode 100644 +index 000000000..0a21d1ce7 +--- /dev/null ++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +@@ -0,0 +1,28 @@ ++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 ++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> ++Date: Tue, 15 Feb 2022 12:28:46 -0300 ++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> ++ ++CVE: CVE-2022-28805 ++ ++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] ++ ++Signed-off-by: Sana Kazi <sana.kazi@kpit.com> ++Signed-off-by: Steve Sakoman <steve@sakoman.com> ++--- ++ src/lparser.c | 1 + ++ 1 files changed, 1 insertions(+) ++ ++diff --git a/src/lparser.c b/src/lparser.c ++index 3abe3d751..a5cd55257 100644 ++--- a/src/lparser.c +++++ b/src/lparser.c ++@@ -300,6 +300,7 @@ ++ expdesc key; ++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ ++ lua_assert(var->k != VVOID); /* this one must exist */ +++ luaK_exp2anyregup(fs, var); /* but could be a constant */ ++ codestring(ls, &key, varname); /* key is variable name */ ++ luaK_indexed(fs, var, &key); /* env[varname] */ ++ } ++ +diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +index 342ed1b54..0137cc3c5 100644 +--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb ++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ + file://CVE-2020-15888.patch \ + file://CVE-2020-15945.patch \ + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ ++ file://CVE-2022-28805.patch \ + " + + # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch new file mode 100644 index 0000000000..0a21d1ce77 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch @@ -0,0 +1,28 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> + +CVE: CVE-2022-28805 + +Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- + src/lparser.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/src/lparser.c b/src/lparser.c +index 3abe3d751..a5cd55257 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -300,6 +300,7 @@ + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(ls, &key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } + diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb index 342ed1b547..d46d402aa3 100644 --- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb @@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ file://CVE-2020-15888.patch \ file://CVE-2020-15945.patch \ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ + file://CVE-2022-28805.patch \ " # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. @@ -31,7 +32,7 @@ PACKAGECONFIG ??= "readline" PACKAGECONFIG[readline] = ",,readline" UCLIBC_PATCHES += "file://uclibc-pthread.patch" -SRC_URI_append_libc-uclibc = "${UCLIBC_PATCHES}" +SRC_URI_append_libc-uclibc = " ${UCLIBC_PATCHES}" TARGET_CC_ARCH += " -fPIC ${LDFLAGS}" EXTRA_OEMAKE = "'CC=${CC} -fPIC' 'MYCFLAGS=${CFLAGS} -fPIC' MYLDFLAGS='${LDFLAGS}'" diff --git a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb index 1bee9fe0b9..83f6aa0f42 100644 --- a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb +++ b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7dd2aad04bb7ca212e69127ba8d58f9f" DEPENDS += "lua-native lua" -SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release \ +SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release;protocol=https \ file://0001-fix-avoid-race-condition-between-test-and-mkdir.patch \ " SRCREV = "8e4902ed81c922ed8f76a7ed85be1eaa3fd7e66d" diff --git a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb index d410dc6e0a..90b55ad2df 100644 --- a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb +++ b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://NOTICE;md5=7a858c074723608e08614061dc044352 \ PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/msgpack/msgpack-c \ +SRC_URI = "git://github.com/msgpack/msgpack-c;branch=master;protocol=https \ " # cpp-3.2.1 SRCREV = "8085ab8721090a447cf98bb802d1406ad7afe420" diff --git a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb index 21d110aeea..9de6f8c99d 100644 --- a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb +++ b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" DEPENDS = "protobuf-native" -SRC_URI = "git://github.com/nanopb/nanopb.git" +SRC_URI = "git://github.com/nanopb/nanopb.git;branch=master;protocol=https" SRCREV = "70f0de9877b1ce12abc0229d5df84db6349fcbfc" S = "${WORKDIR}/git" @@ -25,6 +25,6 @@ RDEPENDS_${PN} += "\ protobuf-compiler \ " -BBCLASSEXTEND = "native nativesdk" +BBCLASSEXTEND = "nativesdk" PNBLACKLIST[nanopb] = "Needs forward porting to use python3" diff --git a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb index a97eb53c1d..62fdecf6ff 100644 --- a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb +++ b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=b67209a1e36b682a8226de19d265b1e0" -SRC_URI = "git://github.com/nlohmann/fifo_map.git" +SRC_URI = "git://github.com/nlohmann/fifo_map.git;branch=master;protocol=https" PV = "1.0.0+git${SRCPV}" diff --git a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb index 5766194d26..a7ba46c8d1 100644 --- a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb +++ b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=f5f7c71504da070bcf4f090205ce1080" -SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1 \ +SRC_URI = "git://github.com/nlohmann/json.git;branch=develop;protocol=https \ file://0001-Templatize-basic_json-ctor-from-json_ref.patch \ file://0001-typo-fix.patch \ " diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch new file mode 100644 index 0000000000..c719c9c3b0 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch @@ -0,0 +1,22 @@ +From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova <zsvetlik@redhat.com> +Date: Thu, 27 Apr 2017 14:25:42 +0200 +Subject: [PATCH] Disable running gyp on shared deps + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 93d63110..79caaec2 100644 +--- a/Makefile ++++ b/Makefile +@@ -138,7 +138,7 @@ with-code-cache test-code-cache: + $(warning '$@' target is a noop) + + out/Makefile: config.gypi common.gypi node.gyp \ +- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ ++ deps/llhttp/llhttp.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + $(PYTHON) tools/gyp_node.py -f make diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch new file mode 100644 index 0000000000..8c5f75112d --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch @@ -0,0 +1,40 @@ +From e1d838089cd461d9efcf4d29d9f18f65994d2d6b Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Sun, 3 Oct 2021 22:48:39 +0200 +Subject: [PATCH] jinja/tests.py: add py 3.10 fix + +Upstream-Status: Pending +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + deps/v8/third_party/jinja2/tests.py | 2 +- + tools/inspector_protocol/jinja2/tests.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/v8/third_party/jinja2/tests.py b/deps/v8/third_party/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/deps/v8/third_party/jinja2/tests.py ++++ b/deps/v8/third_party/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +diff --git a/tools/inspector_protocol/jinja2/tests.py b/tools/inspector_protocol/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/tools/inspector_protocol/jinja2/tests.py ++++ b/tools/inspector_protocol/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +-- +2.20.1 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch new file mode 100644 index 0000000000..ee287bf94a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch @@ -0,0 +1,27 @@ +From 0976af0f3b328436ea44a74a406f311adb2ab211 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 15 Jun 2021 19:01:31 -0700 +Subject: [PATCH] ppc64: Do not use -mminimal-toc with clang + +clang does not support this option + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + common.gypi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common.gypi b/common.gypi +index ee91fb1d..049c8f8c 100644 +--- a/common.gypi ++++ b/common.gypi +@@ -413,7 +413,7 @@ + 'ldflags': [ '-m32' ], + }], + [ 'target_arch=="ppc64" and OS!="aix"', { +- 'cflags': [ '-m64', '-mminimal-toc' ], ++ 'cflags': [ '-m64' ], + 'ldflags': [ '-m64' ], + }], + [ 'target_arch=="s390x"', { +-- +2.32.0 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch new file mode 100644 index 0000000000..c6fc2dcd76 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch @@ -0,0 +1,62 @@ +From 6c3ac20477a4bac643088f24df3c042e627fafa9 Mon Sep 17 00:00:00 2001 +From: Guillaume Burel <guillaume.burel@stormshield.eu> +Date: Fri, 3 Jan 2020 11:25:54 +0100 +Subject: [PATCH] Using native binaries + +--- + node.gyp | 4 ++-- + tools/v8_gypfiles/v8.gyp | 11 ++++------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/node.gyp ++++ b/node.gyp +@@ -487,6 +487,7 @@ + 'action_name': 'run_mkcodecache', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mkcodecache_exec)', + ], + 'outputs': [ +@@ -512,6 +513,7 @@ + 'action_name': 'node_mksnapshot', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(node_mksnapshot_exec)', + ], + 'outputs': [ +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -220,6 +220,7 @@ + { + 'action_name': 'run_torque_action', + 'inputs': [ # Order matters. ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)', + '<@(torque_files)', + ], +@@ -351,6 +352,7 @@ + { + 'action_name': 'generate_bytecode_builtins_list_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)bytecode_builtins_list_generator<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ +@@ -533,6 +535,7 @@ + ], + }, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mksnapshot_exec)', + ], + 'outputs': [ +@@ -1448,6 +1451,7 @@ + { + 'action_name': 'run_gen-regexp-special-case_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)gen-regexp-special-case<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch new file mode 100644 index 0000000000..3c4b2317d8 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch @@ -0,0 +1,84 @@ +From 5b22fac923d1ca3e9fefb97f5a171124a88f5e22 Mon Sep 17 00:00:00 2001 +From: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Date: Tue, 19 Mar 2019 23:22:40 -0400 +Subject: [PATCH] Install both binaries and use libdir. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows us to build with a shared library for other users while +still providing the normal executable. + +Taken from - https://src.fedoraproject.org/rpms/nodejs/raw/rawhide/f/0002-Install-both-binaries-and-use-libdir.patch + +Upstream-Status: Pending + +Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + configure.py | 7 +++++++ + tools/install.py | 21 +++++++++------------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/configure.py b/configure.py +index e6f7e4db..6cf5c45d 100755 +--- a/configure.py ++++ b/configure.py +@@ -626,6 +626,12 @@ parser.add_option('--shared', + help='compile shared library for embedding node in another project. ' + + '(This mode is not officially supported for regular applications)') + ++parser.add_option('--libdir', ++ action='store', ++ dest='libdir', ++ default='lib', ++ help='a directory to install the shared library into') ++ + parser.add_option('--without-v8-platform', + action='store_true', + dest='without_v8_platform', +@@ -1202,6 +1208,7 @@ def configure_node(o): + o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) + + o['variables']['node_shared'] = b(options.shared) ++ o['variables']['libdir'] = options.libdir + node_module_version = getmoduleversion.get_version() + + if options.dest_os == 'android': +diff --git a/tools/install.py b/tools/install.py +index 729b416f..9bfc6234 100755 +--- a/tools/install.py ++++ b/tools/install.py +@@ -121,22 +121,19 @@ def subdir_files(path, dest, action): + + def files(action): + is_windows = sys.platform == 'win32' +- output_file = 'node' + output_prefix = 'out/Release/' ++ output_libprefix = output_prefix + +- if 'false' == variables.get('node_shared'): +- if is_windows: +- output_file += '.exe' ++ if is_windows: ++ output_bin = 'node.exe' ++ output_lib = 'node.dll' + else: +- if is_windows: +- output_file += '.dll' +- else: +- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix') ++ output_bin = 'node' ++ output_lib = 'libnode.' + variables.get('shlib_suffix') + +- if 'false' == variables.get('node_shared'): +- action([output_prefix + output_file], 'bin/' + output_file) +- else: +- action([output_prefix + output_file], 'lib/' + output_file) ++ action([output_prefix + output_bin], 'bin/' + output_bin) ++ if 'true' == variables.get('node_shared'): ++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) + + if 'true' == variables.get('node_use_dtrace'): + action(['out/Release/node.d'], 'lib/dtrace/node.d') diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch new file mode 100644 index 0000000000..f7b4b61f47 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch @@ -0,0 +1,133 @@ +commit 48c5aa5cab718d04473fa2761d532657c84b8131 +Author: Tobias Nießen <tniessen@tnie.de> +Date: Fri May 27 21:18:49 2022 +0000 + + src: fix IPv4 validation in inspector_socket + + Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> + PR-URL: https://github.com/nodejs-private/node-private/pull/320 + Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/325 + Reviewed-By: Matteo Collina <matteo.collina@gmail.com> + Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com> + CVE-ID: CVE-2022-32212 + +CVE: CVE-2022-32212 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-32212.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/src/inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_socket.cc ++++ nodejs-12.22.12~dfsg/src/inspector_socket.cc +@@ -168,14 +168,22 @@ static std::string TrimPort(const std::s + static bool IsIPAddress(const std::string& host) { + if (host.length() >= 4 && host.front() == '[' && host.back() == ']') + return true; +- int quads = 0; ++ uint_fast16_t accum = 0; ++ uint_fast8_t quads = 0; ++ bool empty = true; ++ auto endOctet = [&accum, &quads, &empty](bool final = false) { ++ return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) && ++ (empty = true) && !(accum = 0); ++ }; + for (char c : host) { +- if (c == '.') +- quads++; +- else if (!isdigit(c)) ++ if (isdigit(c)) { ++ if ((accum = (accum * 10) + (c - '0')) > 0xff) return false; ++ empty = false; ++ } else if (c != '.' || !endOctet()) { + return false; ++ } + } +- return quads == 3; ++ return endOctet(true); + } + + // Constants for hybi-10 frame format. +Index: nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/test/cctest/test_inspector_socket.cc ++++ nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +@@ -851,4 +851,78 @@ TEST_F(InspectorSocketTest, HostCheckedF + expect_failure_no_delegate(UPGRADE_REQUEST); + } + ++TEST_F(InspectorSocketTest, HostIPChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 10.0.2.555:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostNegativeIPChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 10.0.-23.255:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpOctetOutOfIntRangeChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = ++ "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.4294967296:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpOctetFarOutOfIntRangeChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = ++ "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.18446744073709552000:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: .0.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127..0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpTooFewOctetsChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ + } // anonymous namespace diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch new file mode 100644 index 0000000000..e9c2e7404a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch @@ -0,0 +1,237 @@ +Origin: https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79 +Reviewed-by: Aron Xu <aron@debian.org> +Last-Update: 2022-01-05 +Comment: + Although WebCrypto is not implemented in 12.x series, this fix is introducing + enhancment to the crypto setup of V8:EntropySource(). + +commit 0c2a5723beff39d1f62daec96b5389da3d427e79 +Author: Ben Noordhuis <info@bnoordhuis.nl> +Date: Sun Sep 11 10:48:34 2022 +0200 + + crypto: fix weak randomness in WebCrypto keygen + + Commit dae283d96f from August 2020 introduced a call to EntropySource() + in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There + are two problems with that: + + 1. It does not check the return value, it assumes EntropySource() always + succeeds, but it can (and sometimes will) fail. + + 2. The random data returned byEntropySource() may not be + cryptographically strong and therefore not suitable as keying + material. + + An example is a freshly booted system or a system without /dev/random or + getrandom(2). + + EntropySource() calls out to openssl's RAND_poll() and RAND_bytes() in a + best-effort attempt to obtain random data. OpenSSL has a built-in CSPRNG + but that can fail to initialize, in which case it's possible either: + + 1. No random data gets written to the output buffer, i.e., the output is + unmodified, or + + 2. Weak random data is written. It's theoretically possible for the + output to be fully predictable because the CSPRNG starts from a + predictable state. + + Replace EntropySource() and CheckEntropy() with new function CSPRNG() + that enforces checking of the return value. Abort on startup when the + entropy pool fails to initialize because that makes it too easy to + compromise the security of the process. + + Refs: https://hackerone.com/bugs?report_id=1690000 + Refs: https://github.com/nodejs/node/pull/35093 + + Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> + Reviewed-By: Tobias Nießen <tniessen@tnie.de> + PR-URL: #346 + Backport-PR-URL: #351 + CVE-ID: CVE-2022-35255 + +CVE: CVE-2022-35255 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-35255.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/node.gyp +=================================================================== +--- nodejs-12.22.12~dfsg.orig/node.gyp ++++ nodejs-12.22.12~dfsg/node.gyp +@@ -743,6 +743,8 @@ + 'openssl_default_cipher_list%': '', + }, + ++ 'cflags': ['-Werror=unused-result'], ++ + 'defines': [ + 'NODE_ARCH="<(target_arch)"', + 'NODE_PLATFORM="<(OS)"', +Index: nodejs-12.22.12~dfsg/src/node_crypto.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node_crypto.cc ++++ nodejs-12.22.12~dfsg/src/node_crypto.cc +@@ -386,48 +386,14 @@ void ThrowCryptoError(Environment* env, + env->isolate()->ThrowException(exception); + } + ++MUST_USE_RESULT CSPRNGResult CSPRNG(void* buffer, size_t length) { ++ do { ++ if (1 == RAND_status()) ++ if (1 == RAND_bytes(static_cast<unsigned char*>(buffer), length)) ++ return {true}; ++ } while (1 == RAND_poll()); + +-// Ensure that OpenSSL has enough entropy (at least 256 bits) for its PRNG. +-// The entropy pool starts out empty and needs to fill up before the PRNG +-// can be used securely. Once the pool is filled, it never dries up again; +-// its contents is stirred and reused when necessary. +-// +-// OpenSSL normally fills the pool automatically but not when someone starts +-// generating random numbers before the pool is full: in that case OpenSSL +-// keeps lowering the entropy estimate to thwart attackers trying to guess +-// the initial state of the PRNG. +-// +-// When that happens, we will have to wait until enough entropy is available. +-// That should normally never take longer than a few milliseconds. +-// +-// OpenSSL draws from /dev/random and /dev/urandom. While /dev/random may +-// block pending "true" randomness, /dev/urandom is a CSPRNG that doesn't +-// block under normal circumstances. +-// +-// The only time when /dev/urandom may conceivably block is right after boot, +-// when the whole system is still low on entropy. That's not something we can +-// do anything about. +-inline void CheckEntropy() { +- for (;;) { +- int status = RAND_status(); +- CHECK_GE(status, 0); // Cannot fail. +- if (status != 0) +- break; +- +- // Give up, RAND_poll() not supported. +- if (RAND_poll() == 0) +- break; +- } +-} +- +- +-bool EntropySource(unsigned char* buffer, size_t length) { +- // Ensure that OpenSSL's PRNG is properly seeded. +- CheckEntropy(); +- // RAND_bytes() can return 0 to indicate that the entropy data is not truly +- // random. That's okay, it's still better than V8's stock source of entropy, +- // which is /dev/urandom on UNIX platforms and the current time on Windows. +- return RAND_bytes(buffer, length) != -1; ++ return {false}; + } + + void SecureContext::Initialize(Environment* env, Local<Object> target) { +@@ -649,9 +615,9 @@ void SecureContext::Init(const FunctionC + // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was + // exposed in the public API. To retain compatibility, install a callback + // which restores the old algorithm. +- if (RAND_bytes(sc->ticket_key_name_, sizeof(sc->ticket_key_name_)) <= 0 || +- RAND_bytes(sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_)) <= 0 || +- RAND_bytes(sc->ticket_key_aes_, sizeof(sc->ticket_key_aes_)) <= 0) { ++ if (CSPRNG(sc->ticket_key_name_, sizeof(sc->ticket_key_name_)).is_err() || ++ CSPRNG(sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_)).is_err() || ++ CSPRNG(sc->ticket_key_aes_, sizeof(sc->ticket_key_aes_)).is_err()) { + return env->ThrowError("Error generating ticket keys"); + } + SSL_CTX_set_tlsext_ticket_key_cb(sc->ctx_.get(), TicketCompatibilityCallback); +@@ -1643,7 +1609,7 @@ int SecureContext::TicketCompatibilityCa + + if (enc) { + memcpy(name, sc->ticket_key_name_, sizeof(sc->ticket_key_name_)); +- if (RAND_bytes(iv, 16) <= 0 || ++ if (CSPRNG(iv, 16).is_err() || + EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), nullptr, + sc->ticket_key_aes_, iv) <= 0 || + HMAC_Init_ex(hctx, sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_), +@@ -5867,8 +5833,7 @@ struct RandomBytesJob : public CryptoJob + : CryptoJob(env), rc(Nothing<int>()) {} + + inline void DoThreadPoolWork() override { +- CheckEntropy(); // Ensure that OpenSSL's PRNG is properly seeded. +- rc = Just(RAND_bytes(data, size)); ++ rc = Just(int(CSPRNG(data, size).is_ok())); + if (0 == rc.FromJust()) errors.Capture(); + } + +@@ -6318,8 +6283,8 @@ class GenerateKeyPairJob : public Crypto + } + + inline bool GenerateKey() { +- // Make sure that the CSPRNG is properly seeded so the results are secure. +- CheckEntropy(); ++ // Make sure that the CSPRNG is properly seeded. ++ CHECK(CSPRNG(nullptr, 0).is_ok()); + + // Create the key generation context. + EVPKeyCtxPointer ctx = config_->Setup(); +Index: nodejs-12.22.12~dfsg/src/node_crypto.h +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node_crypto.h ++++ nodejs-12.22.12~dfsg/src/node_crypto.h +@@ -840,7 +840,19 @@ class ECDH final : public BaseObject { + const EC_GROUP* group_; + }; + +-bool EntropySource(unsigned char* buffer, size_t length); ++struct CSPRNGResult { ++ const bool ok; ++ MUST_USE_RESULT bool is_ok() const { return ok; } ++ MUST_USE_RESULT bool is_err() const { return !ok; } ++}; ++ ++// Either succeeds with exactly |length| bytes of cryptographically ++// strong pseudo-random data, or fails. This function may block. ++// Don't assume anything about the contents of |buffer| on error. ++// As a special case, |length == 0| can be used to check if the CSPRNG ++// is properly seeded without consuming entropy. ++MUST_USE_RESULT CSPRNGResult CSPRNG(void* buffer, size_t length); ++ + #ifndef OPENSSL_NO_ENGINE + void SetEngine(const v8::FunctionCallbackInfo<v8::Value>& args); + #endif // !OPENSSL_NO_ENGINE +Index: nodejs-12.22.12~dfsg/src/inspector_io.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_io.cc ++++ nodejs-12.22.12~dfsg/src/inspector_io.cc +@@ -46,8 +46,7 @@ std::string ScriptPath(uv_loop_t* loop, + // Used ver 4 - with numbers + std::string GenerateID() { + uint16_t buffer[8]; +- CHECK(crypto::EntropySource(reinterpret_cast<unsigned char*>(buffer), +- sizeof(buffer))); ++ CHECK(crypto::CSPRNG(buffer, sizeof(buffer)).is_ok()); + + char uuid[256]; + snprintf(uuid, sizeof(uuid), "%04x%04x-%04x-%04x-%04x-%04x%04x%04x", +Index: nodejs-12.22.12~dfsg/src/node.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node.cc ++++ nodejs-12.22.12~dfsg/src/node.cc +@@ -969,9 +969,17 @@ InitializationResult InitializeOncePerPr + // the random source is properly initialized first. + OPENSSL_init(); + #endif // NODE_FIPS_MODE +- // V8 on Windows doesn't have a good source of entropy. Seed it from +- // OpenSSL's pool. +- V8::SetEntropySource(crypto::EntropySource); ++ // Ensure CSPRNG is properly seeded. ++ CHECK(crypto::CSPRNG(nullptr, 0).is_ok()); ++ ++ V8::SetEntropySource([](unsigned char* buffer, size_t length) { ++ // V8 falls back to very weak entropy when this function fails ++ // and /dev/urandom isn't available. That wouldn't be so bad if ++ // the entropy was only used for Math.random() but it's also used for ++ // hash table and address space layout randomization. Better to abort. ++ CHECK(crypto::CSPRNG(buffer, length).is_ok()); ++ return true; ++ }); + #endif // HAVE_OPENSSL + + per_process::v8_platform.Initialize( diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch new file mode 100644 index 0000000000..54da1fba99 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch @@ -0,0 +1,214 @@ +commit 2b433af094fb79cf80f086038b7f36342cb6826f +Author: Tobias Nießen <tniessen@tnie.de> +Date: Sun Sep 25 12:34:05 2022 +0000 + + inspector: harden IP address validation again + + Use inet_pton() to parse IP addresses, which restricts IP addresses + to a small number of well-defined formats. In particular, octal and + hexadecimal number formats are not allowed, and neither are leading + zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable. + + Refs: https://hackerone.com/reports/1710652 + CVE-ID: CVE-2022-43548 + PR-URL: https://github.com/nodejs-private/node-private/pull/354 + Reviewed-by: Michael Dawson <midawson@redhat.com> + Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com> + Reviewed-by: Rich Trott <rtrott@gmail.com> + +CVE: CVE-2022-43548 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-43548.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/src/inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_socket.cc ++++ nodejs-12.22.12~dfsg/src/inspector_socket.cc +@@ -10,6 +10,7 @@ + + #include "openssl/sha.h" // Sha-1 hash + ++#include <algorithm> + #include <cstring> + #include <map> + +@@ -166,25 +167,71 @@ static std::string TrimPort(const std::s + } + + static bool IsIPAddress(const std::string& host) { +- if (host.length() >= 4 && host.front() == '[' && host.back() == ']') ++ // TODO(tniessen): add CVEs to the following bullet points ++ // To avoid DNS rebinding attacks, we are aware of the following requirements: ++ // * the host name must be an IP address, ++ // * the IP address must be routable, and ++ // * the IP address must be formatted unambiguously. ++ ++ // The logic below assumes that the string is null-terminated, so ensure that ++ // we did not somehow end up with null characters within the string. ++ if (host.find('\0') != std::string::npos) return false; ++ ++ // All IPv6 addresses must be enclosed in square brackets, and anything ++ // enclosed in square brackets must be an IPv6 address. ++ if (host.length() >= 4 && host.front() == '[' && host.back() == ']') { ++ // INET6_ADDRSTRLEN is the maximum length of the dual format (including the ++ // terminating null character), which is the longest possible representation ++ // of an IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:ddd.ddd.ddd.ddd ++ if (host.length() - 2 >= INET6_ADDRSTRLEN) return false; ++ ++ // Annoyingly, libuv's implementation of inet_pton() deviates from other ++ // implementations of the function in that it allows '%' in IPv6 addresses. ++ if (host.find('%') != std::string::npos) return false; ++ ++ // Parse the IPv6 address to ensure it is syntactically valid. ++ char ipv6_str[INET6_ADDRSTRLEN]; ++ std::copy(host.begin() + 1, host.end() - 1, ipv6_str); ++ ipv6_str[host.length()] = '\0'; ++ unsigned char ipv6[sizeof(struct in6_addr)]; ++ if (uv_inet_pton(AF_INET6, ipv6_str, ipv6) != 0) return false; ++ ++ // The only non-routable IPv6 address is ::/128. It should not be necessary ++ // to explicitly reject it because it will still be enclosed in square ++ // brackets and not even macOS should make DNS requests in that case, but ++ // history has taught us that we cannot be careful enough. ++ // Note that RFC 4291 defines both "IPv4-Compatible IPv6 Addresses" and ++ // "IPv4-Mapped IPv6 Addresses", which means that there are IPv6 addresses ++ // (other than ::/128) that represent non-routable IPv4 addresses. However, ++ // this translation assumes that the host is interpreted as an IPv6 address ++ // in the first place, at which point DNS rebinding should not be an issue. ++ if (std::all_of(ipv6, ipv6 + sizeof(ipv6), [](auto b) { return b == 0; })) { ++ return false; ++ } ++ ++ // It is a syntactically valid and routable IPv6 address enclosed in square ++ // brackets. No client should be able to misinterpret this. + return true; +- uint_fast16_t accum = 0; +- uint_fast8_t quads = 0; +- bool empty = true; +- auto endOctet = [&accum, &quads, &empty](bool final = false) { +- return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) && +- (empty = true) && !(accum = 0); +- }; +- for (char c : host) { +- if (isdigit(c)) { +- if ((accum = (accum * 10) + (c - '0')) > 0xff) return false; +- empty = false; +- } else if (c != '.' || !endOctet()) { +- return false; +- } +- } +- return endOctet(true); +-} ++ } ++ ++ // Anything not enclosed in square brackets must be an IPv4 address. It is ++ // important here that inet_pton() accepts only the so-called dotted-decimal ++ // notation, which is a strict subset of the so-called numbers-and-dots ++ // notation that is allowed by inet_aton() and inet_addr(). This subset does ++ // not allow hexadecimal or octal number formats. ++ unsigned char ipv4[sizeof(struct in_addr)]; ++ if (uv_inet_pton(AF_INET, host.c_str(), ipv4) != 0) return false; ++ ++ // The only strictly non-routable IPv4 address is 0.0.0.0, and macOS will make ++ // DNS requests for this IP address, so we need to explicitly reject it. In ++ // fact, we can safely reject all of 0.0.0.0/8 (see Section 3.2 of RFC 791 and ++ // Section 3.2.1.3 of RFC 1122). ++ // Note that inet_pton() stores the IPv4 address in network byte order. ++ if (ipv4[0] == 0) return false; ++ ++ // It is a routable IPv4 address in dotted-decimal notation. ++ return true; ++ } + + // Constants for hybi-10 frame format. + +Index: nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/test/cctest/test_inspector_socket.cc ++++ nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +@@ -925,4 +925,84 @@ TEST_F(InspectorSocketTest, HostIpTooMan + expect_handshake_failure(); + } + ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 08.1.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.09.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.1.009:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 01.1.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.001.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.1.01:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6NonRoutable) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [::]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6NonRoutableDual) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [::0.0.0.0]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv4InSquareBrackets) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [127.0.0.1]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6InvalidAbbreviation) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [:::1]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ + } // anonymous namespace diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch new file mode 100644 index 0000000000..790cf92d2e --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch @@ -0,0 +1,4348 @@ +Reviewed-by: Aron Xu <aron@debian.org> +Last-Update: 2023-01-05 +Comment: + This patch updates the embeded copy of llhttp from version 2.1.4 to 2.1.6, + which is upstream's actual fix for CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, + CVE-2022-35256. + Test cases are ported to use mustCall() to replace the later introduced + mustSucceed(), to avoid pulling in too many dependent new test codes. +References: + * https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd + * https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 + +CVE: CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 CVE-2022-35256 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-llhttp.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +--- nodejs-12.22.12~dfsg/deps/llhttp/include/llhttp.h ++++ nodejs-12.22.12~dfsg/deps/llhttp/include/llhttp.h +@@ -3,7 +3,7 @@ + + #define LLHTTP_VERSION_MAJOR 2 + #define LLHTTP_VERSION_MINOR 1 +-#define LLHTTP_VERSION_PATCH 4 ++#define LLHTTP_VERSION_PATCH 6 + + #ifndef LLHTTP_STRICT_MODE + # define LLHTTP_STRICT_MODE 0 +@@ -58,6 +58,7 @@ + HPE_OK = 0, + HPE_INTERNAL = 1, + HPE_STRICT = 2, ++ HPE_CR_EXPECTED = 25, + HPE_LF_EXPECTED = 3, + HPE_UNEXPECTED_CONTENT_LENGTH = 4, + HPE_CLOSED_CONNECTION = 5, +@@ -78,7 +79,7 @@ + HPE_CB_CHUNK_COMPLETE = 20, + HPE_PAUSED = 21, + HPE_PAUSED_UPGRADE = 22, +- HPE_USER = 23 ++ HPE_USER = 24 + }; + typedef enum llhttp_errno llhttp_errno_t; + +@@ -153,6 +154,7 @@ + XX(0, OK, OK) \ + XX(1, INTERNAL, INTERNAL) \ + XX(2, STRICT, STRICT) \ ++ XX(25, CR_EXPECTED, CR_EXPECTED) \ + XX(3, LF_EXPECTED, LF_EXPECTED) \ + XX(4, UNEXPECTED_CONTENT_LENGTH, UNEXPECTED_CONTENT_LENGTH) \ + XX(5, CLOSED_CONNECTION, CLOSED_CONNECTION) \ +@@ -173,7 +175,7 @@ + XX(20, CB_CHUNK_COMPLETE, CB_CHUNK_COMPLETE) \ + XX(21, PAUSED, PAUSED) \ + XX(22, PAUSED_UPGRADE, PAUSED_UPGRADE) \ +- XX(23, USER, USER) \ ++ XX(24, USER, USER) \ + + + #define HTTP_METHOD_MAP(XX) \ +--- nodejs-12.22.12~dfsg/deps/llhttp/src/llhttp.c ++++ nodejs-12.22.12~dfsg/deps/llhttp/src/llhttp.c +@@ -325,6 +325,7 @@ + s_n_llhttp__internal__n_header_value_lws, + s_n_llhttp__internal__n_header_value_almost_done, + s_n_llhttp__internal__n_header_value_lenient, ++ s_n_llhttp__internal__n_error_25, + s_n_llhttp__internal__n_header_value_otherwise, + s_n_llhttp__internal__n_header_value_connection_token, + s_n_llhttp__internal__n_header_value_connection_ws, +@@ -332,14 +333,16 @@ + s_n_llhttp__internal__n_header_value_connection_2, + s_n_llhttp__internal__n_header_value_connection_3, + s_n_llhttp__internal__n_header_value_connection, +- s_n_llhttp__internal__n_error_26, + s_n_llhttp__internal__n_error_27, ++ s_n_llhttp__internal__n_error_28, + s_n_llhttp__internal__n_header_value_content_length_ws, + s_n_llhttp__internal__n_header_value_content_length, +- s_n_llhttp__internal__n_header_value_te_chunked_last, ++ s_n_llhttp__internal__n_error_30, ++ s_n_llhttp__internal__n_error_29, + s_n_llhttp__internal__n_header_value_te_token_ows, + s_n_llhttp__internal__n_header_value, + s_n_llhttp__internal__n_header_value_te_token, ++ s_n_llhttp__internal__n_header_value_te_chunked_last, + s_n_llhttp__internal__n_header_value_te_chunked, + s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1, + s_n_llhttp__internal__n_header_value_discard_ws, +@@ -734,7 +737,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_2( ++int llhttp__internal__c_update_header_state_3( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -742,7 +745,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_4( ++int llhttp__internal__c_update_header_state_1( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -750,7 +753,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_5( ++int llhttp__internal__c_update_header_state_6( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -758,7 +761,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_6( ++int llhttp__internal__c_update_header_state_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -766,7 +769,7 @@ + return 0; + } + +-int llhttp__internal__c_test_flags_6( ++int llhttp__internal__c_test_flags_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -807,6 +810,13 @@ + return 0; + } + ++int llhttp__internal__c_test_flags_8( ++ llhttp__internal_t* state, ++ const unsigned char* p, ++ const unsigned char* endp) { ++ return (state->flags & 8) == 8; ++} ++ + int llhttp__internal__c_or_flags_16( + llhttp__internal_t* state, + const unsigned char* p, +@@ -823,7 +833,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_7( ++int llhttp__internal__c_update_header_state_8( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -831,7 +841,7 @@ + return 0; + } + +-int llhttp__internal__c_or_flags_17( ++int llhttp__internal__c_or_flags_18( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -1554,7 +1564,7 @@ + goto s_n_llhttp__internal__n_header_value_discard_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_22; ++ goto s_n_llhttp__internal__n_error_23; + } + } + /* UNREACHABLE */; +@@ -1567,13 +1577,13 @@ + } + switch (*p) { + case 9: { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + case ' ': { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + default: { +- goto s_n_llhttp__internal__n_invoke_load_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_4; + } + } + /* UNREACHABLE */; +@@ -1590,7 +1600,7 @@ + goto s_n_llhttp__internal__n_header_value_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_23; ++ goto s_n_llhttp__internal__n_error_24; + } + } + /* UNREACHABLE */; +@@ -1603,10 +1613,10 @@ + } + switch (*p) { + case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; + } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; + } + default: { + p++; +@@ -1616,20 +1626,27 @@ + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_error_25: ++ s_n_llhttp__internal__n_error_25: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_header_value_otherwise: + s_n_llhttp__internal__n_header_value_otherwise: { + if (p == endp) { + return s_n_llhttp__internal__n_header_value_otherwise; + } + switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; +- } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_test_flags_5; ++ goto s_n_llhttp__internal__n_invoke_test_flags_6; + } + } + /* UNREACHABLE */; +@@ -1692,10 +1709,10 @@ + } + case ',': { + p++; +- goto s_n_llhttp__internal__n_invoke_load_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_5; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_5; + } + } + /* UNREACHABLE */; +@@ -1713,7 +1730,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_2; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_3; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_1; +@@ -1737,7 +1754,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_5; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_6; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_2; +@@ -1761,7 +1778,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_6; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_7; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_3; +@@ -1806,8 +1823,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_26: +- s_n_llhttp__internal__n_error_26: { ++ case s_n_llhttp__internal__n_error_27: ++ s_n_llhttp__internal__n_error_27: { + state->error = 0xb; + state->reason = "Content-Length overflow"; + state->error_pos = (const char*) p; +@@ -1816,8 +1833,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_27: +- s_n_llhttp__internal__n_error_27: { ++ case s_n_llhttp__internal__n_error_28: ++ s_n_llhttp__internal__n_error_28: { + state->error = 0xb; + state->reason = "Invalid character in Content-Length"; + state->error_pos = (const char*) p; +@@ -1843,7 +1860,7 @@ + goto s_n_llhttp__internal__n_header_value_content_length_ws; + } + default: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6; + } + } + /* UNREACHABLE */; +@@ -1912,26 +1929,23 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_header_value_te_chunked_last: +- s_n_llhttp__internal__n_header_value_te_chunked_last: { +- if (p == endp) { +- return s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case 13: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- default: { +- goto s_n_llhttp__internal__n_header_value_te_chunked; +- } +- } ++ case s_n_llhttp__internal__n_error_30: ++ s_n_llhttp__internal__n_error_30: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_error_29: ++ s_n_llhttp__internal__n_error_29: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; + /* UNREACHABLE */; + abort(); + } +@@ -2048,8 +2062,34 @@ + goto s_n_llhttp__internal__n_header_value_te_token_ows; + } + default: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_header_value_te_chunked_last: ++ s_n_llhttp__internal__n_header_value_te_chunked_last: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ switch (*p) { ++ case 10: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ } ++ case 13: { + goto s_n_llhttp__internal__n_invoke_update_header_state_8; + } ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ case ',': { ++ goto s_n_llhttp__internal__n_invoke_load_type_1; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_header_value_te_token; ++ } + } + /* UNREACHABLE */; + abort(); +@@ -2101,7 +2141,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_header_value_discard_lws; ++ goto s_n_llhttp__internal__n_invoke_test_flags_5; + } + case 13: { + p++; +@@ -2128,7 +2168,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_2; + } + default: { +- goto s_n_llhttp__internal__n_error_28; ++ goto s_n_llhttp__internal__n_error_31; + } + } + /* UNREACHABLE */; +@@ -2218,7 +2258,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_10; + } + } + /* UNREACHABLE */; +@@ -2243,7 +2283,7 @@ + return s_n_llhttp__internal__n_header_field_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2268,7 +2308,7 @@ + return s_n_llhttp__internal__n_header_field_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2289,7 +2329,7 @@ + goto s_n_llhttp__internal__n_header_field_4; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2313,7 +2353,7 @@ + return s_n_llhttp__internal__n_header_field_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2338,7 +2378,7 @@ + return s_n_llhttp__internal__n_header_field_5; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2363,7 +2403,7 @@ + return s_n_llhttp__internal__n_header_field_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2388,7 +2428,7 @@ + return s_n_llhttp__internal__n_header_field_7; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2417,7 +2457,7 @@ + goto s_n_llhttp__internal__n_header_field_7; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2508,7 +2548,7 @@ + goto s_n_llhttp__internal__n_url_to_http_09; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -2533,7 +2573,7 @@ + goto s_n_llhttp__internal__n_url_skip_lf_to_http09_1; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -2550,7 +2590,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -2571,7 +2611,7 @@ + goto s_n_llhttp__internal__n_req_http_end_1; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -2634,7 +2674,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_31; ++ goto s_n_llhttp__internal__n_error_34; + } + } + /* UNREACHABLE */; +@@ -2651,7 +2691,7 @@ + goto s_n_llhttp__internal__n_req_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_32; ++ goto s_n_llhttp__internal__n_error_35; + } + } + /* UNREACHABLE */; +@@ -2714,7 +2754,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major; + } + default: { +- goto s_n_llhttp__internal__n_error_33; ++ goto s_n_llhttp__internal__n_error_36; + } + } + /* UNREACHABLE */; +@@ -2738,7 +2778,7 @@ + return s_n_llhttp__internal__n_req_http_start_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2762,7 +2802,7 @@ + return s_n_llhttp__internal__n_req_http_start_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2787,7 +2827,7 @@ + goto s_n_llhttp__internal__n_req_http_start_2; + } + default: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2878,7 +2918,7 @@ + goto s_n_llhttp__internal__n_url_fragment; + } + default: { +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + } + /* UNREACHABLE */; +@@ -2939,7 +2979,7 @@ + goto s_n_llhttp__internal__n_span_end_stub_query_3; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -2977,7 +3017,7 @@ + goto s_n_llhttp__internal__n_url_query; + } + default: { +- goto s_n_llhttp__internal__n_error_38; ++ goto s_n_llhttp__internal__n_error_41; + } + } + /* UNREACHABLE */; +@@ -3102,10 +3142,10 @@ + } + case 8: { + p++; +- goto s_n_llhttp__internal__n_error_39; ++ goto s_n_llhttp__internal__n_error_42; + } + default: { +- goto s_n_llhttp__internal__n_error_40; ++ goto s_n_llhttp__internal__n_error_43; + } + } + /* UNREACHABLE */; +@@ -3164,7 +3204,7 @@ + goto s_n_llhttp__internal__n_url_server_with_at; + } + default: { +- goto s_n_llhttp__internal__n_error_41; ++ goto s_n_llhttp__internal__n_error_44; + } + } + /* UNREACHABLE */; +@@ -3181,7 +3221,7 @@ + goto s_n_llhttp__internal__n_url_server; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -3199,7 +3239,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 12: { + p++; +@@ -3207,18 +3247,18 @@ + } + case 13: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case ' ': { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case '/': { + p++; + goto s_n_llhttp__internal__n_url_schema_delim_1; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -3264,7 +3304,7 @@ + } + case 2: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 3: { + goto s_n_llhttp__internal__n_span_end_stub_schema; +@@ -3274,7 +3314,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_44; ++ goto s_n_llhttp__internal__n_error_47; + } + } + /* UNREACHABLE */; +@@ -3310,7 +3350,7 @@ + } + case 2: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 3: { + goto s_n_llhttp__internal__n_span_start_stub_path_2; +@@ -3319,7 +3359,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_45; ++ goto s_n_llhttp__internal__n_error_48; + } + } + /* UNREACHABLE */; +@@ -3417,7 +3457,7 @@ + goto s_n_llhttp__internal__n_req_spaces_before_url; + } + default: { +- goto s_n_llhttp__internal__n_error_46; ++ goto s_n_llhttp__internal__n_error_49; + } + } + /* UNREACHABLE */; +@@ -3442,7 +3482,7 @@ + return s_n_llhttp__internal__n_start_req_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3467,7 +3507,7 @@ + return s_n_llhttp__internal__n_start_req_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3492,7 +3532,7 @@ + return s_n_llhttp__internal__n_start_req_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3517,7 +3557,7 @@ + return s_n_llhttp__internal__n_start_req_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3535,7 +3575,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3556,7 +3596,7 @@ + goto s_n_llhttp__internal__n_start_req_7; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3577,7 +3617,7 @@ + goto s_n_llhttp__internal__n_start_req_5; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3602,7 +3642,7 @@ + return s_n_llhttp__internal__n_start_req_8; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3627,7 +3667,7 @@ + return s_n_llhttp__internal__n_start_req_9; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3652,7 +3692,7 @@ + return s_n_llhttp__internal__n_start_req_10; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3677,7 +3717,7 @@ + return s_n_llhttp__internal__n_start_req_12; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3702,7 +3742,7 @@ + return s_n_llhttp__internal__n_start_req_13; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3723,7 +3763,7 @@ + goto s_n_llhttp__internal__n_start_req_13; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3748,7 +3788,7 @@ + return s_n_llhttp__internal__n_start_req_15; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3773,7 +3813,7 @@ + return s_n_llhttp__internal__n_start_req_16; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3798,7 +3838,7 @@ + return s_n_llhttp__internal__n_start_req_18; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3823,7 +3863,7 @@ + return s_n_llhttp__internal__n_start_req_20; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3841,7 +3881,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3862,7 +3902,7 @@ + goto s_n_llhttp__internal__n_start_req_21; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3883,7 +3923,7 @@ + goto s_n_llhttp__internal__n_start_req_19; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3908,7 +3948,7 @@ + return s_n_llhttp__internal__n_start_req_22; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3937,7 +3977,7 @@ + goto s_n_llhttp__internal__n_start_req_22; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3962,7 +4002,7 @@ + return s_n_llhttp__internal__n_start_req_23; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3987,7 +4027,7 @@ + return s_n_llhttp__internal__n_start_req_24; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4012,7 +4052,7 @@ + return s_n_llhttp__internal__n_start_req_26; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4037,7 +4077,7 @@ + return s_n_llhttp__internal__n_start_req_27; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4062,7 +4102,7 @@ + return s_n_llhttp__internal__n_start_req_31; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4087,7 +4127,7 @@ + return s_n_llhttp__internal__n_start_req_32; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4108,7 +4148,7 @@ + goto s_n_llhttp__internal__n_start_req_32; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4125,7 +4165,7 @@ + goto s_n_llhttp__internal__n_start_req_30; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4147,7 +4187,7 @@ + goto s_n_llhttp__internal__n_start_req_29; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4172,7 +4212,7 @@ + return s_n_llhttp__internal__n_start_req_34; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4194,7 +4234,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4223,7 +4263,7 @@ + goto s_n_llhttp__internal__n_start_req_33; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4248,7 +4288,7 @@ + return s_n_llhttp__internal__n_start_req_37; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4273,7 +4313,7 @@ + return s_n_llhttp__internal__n_start_req_38; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4294,7 +4334,7 @@ + goto s_n_llhttp__internal__n_start_req_38; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4311,7 +4351,7 @@ + goto s_n_llhttp__internal__n_start_req_36; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4336,7 +4376,7 @@ + return s_n_llhttp__internal__n_start_req_40; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4361,7 +4401,7 @@ + return s_n_llhttp__internal__n_start_req_41; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4386,7 +4426,7 @@ + return s_n_llhttp__internal__n_start_req_42; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4411,7 +4451,7 @@ + goto s_n_llhttp__internal__n_start_req_42; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4436,7 +4476,7 @@ + return s_n_llhttp__internal__n_start_req_43; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4461,7 +4501,7 @@ + return s_n_llhttp__internal__n_start_req_46; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4486,7 +4526,7 @@ + return s_n_llhttp__internal__n_start_req_48; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4511,7 +4551,7 @@ + return s_n_llhttp__internal__n_start_req_49; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4532,7 +4572,7 @@ + goto s_n_llhttp__internal__n_start_req_49; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4557,7 +4597,7 @@ + return s_n_llhttp__internal__n_start_req_50; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4582,7 +4622,7 @@ + goto s_n_llhttp__internal__n_start_req_50; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4599,7 +4639,7 @@ + goto s_n_llhttp__internal__n_start_req_45; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4672,7 +4712,7 @@ + goto s_n_llhttp__internal__n_start_req_44; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4689,7 +4729,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -4764,7 +4804,7 @@ + goto s_n_llhttp__internal__n_res_status_start; + } + default: { +- goto s_n_llhttp__internal__n_error_49; ++ goto s_n_llhttp__internal__n_error_52; + } + } + /* UNREACHABLE */; +@@ -4844,7 +4884,7 @@ + goto s_n_llhttp__internal__n_invoke_update_status_code; + } + default: { +- goto s_n_llhttp__internal__n_error_50; ++ goto s_n_llhttp__internal__n_error_53; + } + } + /* UNREACHABLE */; +@@ -4907,7 +4947,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor_1; + } + default: { +- goto s_n_llhttp__internal__n_error_51; ++ goto s_n_llhttp__internal__n_error_54; + } + } + /* UNREACHABLE */; +@@ -4924,7 +4964,7 @@ + goto s_n_llhttp__internal__n_res_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_52; ++ goto s_n_llhttp__internal__n_error_55; + } + } + /* UNREACHABLE */; +@@ -4987,7 +5027,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major_1; + } + default: { +- goto s_n_llhttp__internal__n_error_53; ++ goto s_n_llhttp__internal__n_error_56; + } + } + /* UNREACHABLE */; +@@ -5011,7 +5051,7 @@ + return s_n_llhttp__internal__n_start_res; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_56; ++ goto s_n_llhttp__internal__n_error_59; + } + } + /* UNREACHABLE */; +@@ -5036,7 +5076,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5060,7 +5100,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5081,7 +5121,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_3; + } + default: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5098,7 +5138,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5167,7 +5207,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_42: { ++ s_n_llhttp__internal__n_error_45: { + state->error = 0x7; + state->reason = "Invalid characters in url"; + state->error_pos = (const char*) p; +@@ -5655,7 +5695,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_21: { ++ s_n_llhttp__internal__n_error_22: { + state->error = 0xb; + state->reason = "Empty Content-Length"; + state->error_pos = (const char*) p; +@@ -5740,14 +5780,33 @@ + s_n_llhttp__internal__n_invoke_load_header_state: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 2: +- goto s_n_llhttp__internal__n_error_21; ++ goto s_n_llhttp__internal__n_error_22; + default: + goto s_n_llhttp__internal__n_invoke_load_header_state_1; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_22: { ++ s_n_llhttp__internal__n_error_21: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_5: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_header_value_discard_lws; ++ default: ++ goto s_n_llhttp__internal__n_error_21; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_error_23: { + state->error = 0x2; + state->reason = "Expected LF after CR"; + state->error_pos = (const char*) p; +@@ -5757,6 +5816,24 @@ + abort(); + } + s_n_llhttp__internal__n_invoke_update_header_state_1: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ switch (llhttp__internal__c_load_header_state(state, p, endp)) { ++ case 8: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_2: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_start; +@@ -5767,7 +5844,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_7: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5775,7 +5852,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_8: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5783,7 +5860,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_9: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5796,7 +5873,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ s_n_llhttp__internal__n_invoke_load_header_state_4: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_7; +@@ -5812,7 +5889,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_23: { ++ s_n_llhttp__internal__n_error_24: { + state->error = 0x3; + state->reason = "Missing expected LF after header value"; + state->error_pos = (const char*) p; +@@ -5830,6 +5907,24 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_header_value_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; + state->error_pos = (const char*) p; + state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; + return s_error; +@@ -5838,7 +5933,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { + const unsigned char* start; + int err; + +@@ -5856,7 +5951,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { + const unsigned char* start; + int err; + +@@ -5865,35 +5960,25 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; +- state->error_pos = (const char*) (p + 1); +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_25; + return s_error; + } +- p++; +- goto s_n_llhttp__internal__n_header_value_almost_done; +- /* UNREACHABLE */; +- abort(); +- } +- s_n_llhttp__internal__n_error_24: { +- state->error = 0xa; +- state->reason = "Invalid header value char"; +- state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_error; +- return s_error; ++ goto s_n_llhttp__internal__n_error_25; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_5: { ++ s_n_llhttp__internal__n_invoke_test_flags_6: { + switch (llhttp__internal__c_test_flags_2(state, p, endp)) { + case 1: + goto s_n_llhttp__internal__n_header_value_lenient; + default: +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ s_n_llhttp__internal__n_invoke_update_header_state_4: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection; +@@ -5904,7 +5989,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_11: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5912,7 +5997,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_12: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5920,7 +6005,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_13: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5933,7 +6018,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_4: { ++ s_n_llhttp__internal__n_invoke_load_header_state_5: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_11; +@@ -5949,39 +6034,39 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_4: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_5: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_token; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_2: { +- switch (llhttp__internal__c_update_header_state_2(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ switch (llhttp__internal__c_update_header_state_3(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_5: { +- switch (llhttp__internal__c_update_header_state_5(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_6: { ++ switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_6: { +- switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_7: { ++ switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { + const unsigned char* start; + int err; + +@@ -5991,17 +6076,17 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_26; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_27; + return s_error; + } +- goto s_n_llhttp__internal__n_error_26; ++ goto s_n_llhttp__internal__n_error_27; + /* UNREACHABLE */; + abort(); + } + s_n_llhttp__internal__n_invoke_mul_add_content_length_1: { + switch (llhttp__internal__c_mul_add_content_length_1(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; + default: + goto s_n_llhttp__internal__n_header_value_content_length; + } +@@ -6016,7 +6101,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6: { + const unsigned char* start; + int err; + +@@ -6026,14 +6111,14 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_27; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_28; + return s_error; + } +- goto s_n_llhttp__internal__n_error_27; ++ goto s_n_llhttp__internal__n_error_28; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_25: { ++ s_n_llhttp__internal__n_error_26: { + state->error = 0x4; + state->reason = "Duplicate Content-Length"; + state->error_pos = (const char*) p; +@@ -6042,26 +6127,82 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_6: { +- switch (llhttp__internal__c_test_flags_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_7: { ++ switch (llhttp__internal__c_test_flags_7(state, p, endp)) { + case 0: + goto s_n_llhttp__internal__n_header_value_content_length; + default: +- goto s_n_llhttp__internal__n_error_25; ++ goto s_n_llhttp__internal__n_error_26; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_7: { +- switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_30; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_30; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_8: { ++ switch (llhttp__internal__c_update_header_state_8(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_otherwise; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_8: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_29; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_29; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_9: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_1: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_9; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_9: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -6076,6 +6217,34 @@ + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_invoke_or_flags_17: { ++ switch (llhttp__internal__c_or_flags_16(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_and_flags; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_10: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_2: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_10; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_or_flags_16: { + switch (llhttp__internal__c_or_flags_16(state, p, endp)) { + default: +@@ -6084,10 +6253,20 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_or_flags_17: { +- switch (llhttp__internal__c_or_flags_17(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_8: { ++ switch (llhttp__internal__c_test_flags_8(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_load_type_2; + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_or_flags_18: { ++ switch (llhttp__internal__c_or_flags_18(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; + } + /* UNREACHABLE */; + abort(); +@@ -6097,11 +6276,11 @@ + case 1: + goto s_n_llhttp__internal__n_header_value_connection; + case 2: +- goto s_n_llhttp__internal__n_invoke_test_flags_6; ++ goto s_n_llhttp__internal__n_invoke_test_flags_7; + case 3: +- goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ goto s_n_llhttp__internal__n_invoke_test_flags_8; + case 4: +- goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ goto s_n_llhttp__internal__n_invoke_or_flags_18; + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -6144,7 +6323,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_28: { ++ s_n_llhttp__internal__n_error_31: { + state->error = 0xa; + state->reason = "Invalid header token"; + state->error_pos = (const char*) p; +@@ -6153,8 +6332,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_9: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_10: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -6169,8 +6348,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_10: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_11: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -6210,7 +6389,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_29: { ++ s_n_llhttp__internal__n_error_32: { + state->error = 0x7; + state->reason = "Expected CRLF"; + state->error_pos = (const char*) p; +@@ -6236,7 +6415,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_30: { ++ s_n_llhttp__internal__n_error_33: { + state->error = 0x9; + state->reason = "Expected CRLF after version"; + state->error_pos = (const char*) p; +@@ -6253,7 +6432,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_31: { ++ s_n_llhttp__internal__n_error_34: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -6262,7 +6441,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_32: { ++ s_n_llhttp__internal__n_error_35: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -6279,7 +6458,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_33: { ++ s_n_llhttp__internal__n_error_36: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -6288,7 +6467,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_35: { ++ s_n_llhttp__internal__n_error_38: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -6297,7 +6476,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_34: { ++ s_n_llhttp__internal__n_error_37: { + state->error = 0x8; + state->reason = "Expected SOURCE method for ICE/x.x request"; + state->error_pos = (const char*) p; +@@ -6309,7 +6488,7 @@ + s_n_llhttp__internal__n_invoke_is_equal_method_1: { + switch (llhttp__internal__c_is_equal_method_1(state, p, endp)) { + case 0: +- goto s_n_llhttp__internal__n_error_34; ++ goto s_n_llhttp__internal__n_error_37; + default: + goto s_n_llhttp__internal__n_req_http_major; + } +@@ -6384,7 +6563,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_36: { ++ s_n_llhttp__internal__n_error_39: { + state->error = 0x7; + state->reason = "Invalid char in url fragment start"; + state->error_pos = (const char*) p; +@@ -6444,7 +6623,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_37: { ++ s_n_llhttp__internal__n_error_40: { + state->error = 0x7; + state->reason = "Invalid char in url query"; + state->error_pos = (const char*) p; +@@ -6453,7 +6632,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_38: { ++ s_n_llhttp__internal__n_error_41: { + state->error = 0x7; + state->reason = "Invalid char in url path"; + state->error_pos = (const char*) p; +@@ -6564,7 +6743,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_39: { ++ s_n_llhttp__internal__n_error_42: { + state->error = 0x7; + state->reason = "Double @ in url"; + state->error_pos = (const char*) p; +@@ -6573,7 +6752,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_40: { ++ s_n_llhttp__internal__n_error_43: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -6582,7 +6761,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_41: { ++ s_n_llhttp__internal__n_error_44: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -6591,7 +6770,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_43: { ++ s_n_llhttp__internal__n_error_46: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -6600,7 +6779,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_44: { ++ s_n_llhttp__internal__n_error_47: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -6609,7 +6788,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_45: { ++ s_n_llhttp__internal__n_error_48: { + state->error = 0x7; + state->reason = "Unexpected start char in url"; + state->error_pos = (const char*) p; +@@ -6628,7 +6807,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_46: { ++ s_n_llhttp__internal__n_error_49: { + state->error = 0x6; + state->reason = "Expected space after method"; + state->error_pos = (const char*) p; +@@ -6645,7 +6824,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_55: { ++ s_n_llhttp__internal__n_error_58: { + state->error = 0x6; + state->reason = "Invalid method encountered"; + state->error_pos = (const char*) p; +@@ -6654,7 +6833,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_47: { ++ s_n_llhttp__internal__n_error_50: { + state->error = 0xd; + state->reason = "Response overflow"; + state->error_pos = (const char*) p; +@@ -6666,14 +6845,14 @@ + s_n_llhttp__internal__n_invoke_mul_add_status_code: { + switch (llhttp__internal__c_mul_add_status_code(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + default: + goto s_n_llhttp__internal__n_res_status_code; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_48: { ++ s_n_llhttp__internal__n_error_51: { + state->error = 0x2; + state->reason = "Expected LF after CR"; + state->error_pos = (const char*) p; +@@ -6718,7 +6897,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_49: { ++ s_n_llhttp__internal__n_error_52: { + state->error = 0xd; + state->reason = "Invalid response status"; + state->error_pos = (const char*) p; +@@ -6735,7 +6914,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_50: { ++ s_n_llhttp__internal__n_error_53: { + state->error = 0x9; + state->reason = "Expected space after version"; + state->error_pos = (const char*) p; +@@ -6752,7 +6931,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_51: { ++ s_n_llhttp__internal__n_error_54: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -6761,7 +6940,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_52: { ++ s_n_llhttp__internal__n_error_55: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -6778,7 +6957,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_53: { ++ s_n_llhttp__internal__n_error_56: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -6787,7 +6966,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_56: { ++ s_n_llhttp__internal__n_error_59: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -6812,7 +6991,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_54: { ++ s_n_llhttp__internal__n_error_57: { + state->error = 0x8; + state->reason = "Invalid word encountered"; + state->error_pos = (const char*) p; +@@ -7244,6 +7423,7 @@ + s_n_llhttp__internal__n_header_value_lws, + s_n_llhttp__internal__n_header_value_almost_done, + s_n_llhttp__internal__n_header_value_lenient, ++ s_n_llhttp__internal__n_error_19, + s_n_llhttp__internal__n_header_value_otherwise, + s_n_llhttp__internal__n_header_value_connection_token, + s_n_llhttp__internal__n_header_value_connection_ws, +@@ -7251,14 +7431,16 @@ + s_n_llhttp__internal__n_header_value_connection_2, + s_n_llhttp__internal__n_header_value_connection_3, + s_n_llhttp__internal__n_header_value_connection, +- s_n_llhttp__internal__n_error_20, + s_n_llhttp__internal__n_error_21, ++ s_n_llhttp__internal__n_error_22, + s_n_llhttp__internal__n_header_value_content_length_ws, + s_n_llhttp__internal__n_header_value_content_length, +- s_n_llhttp__internal__n_header_value_te_chunked_last, ++ s_n_llhttp__internal__n_error_24, ++ s_n_llhttp__internal__n_error_23, + s_n_llhttp__internal__n_header_value_te_token_ows, + s_n_llhttp__internal__n_header_value, + s_n_llhttp__internal__n_header_value_te_token, ++ s_n_llhttp__internal__n_header_value_te_chunked_last, + s_n_llhttp__internal__n_header_value_te_chunked, + s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1, + s_n_llhttp__internal__n_header_value_discard_ws, +@@ -7648,7 +7830,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_2( ++int llhttp__internal__c_update_header_state_3( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7656,7 +7838,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_4( ++int llhttp__internal__c_update_header_state_1( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7664,7 +7846,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_5( ++int llhttp__internal__c_update_header_state_6( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7672,7 +7854,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_6( ++int llhttp__internal__c_update_header_state_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7680,7 +7862,7 @@ + return 0; + } + +-int llhttp__internal__c_test_flags_6( ++int llhttp__internal__c_test_flags_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7721,6 +7903,13 @@ + return 0; + } + ++int llhttp__internal__c_test_flags_8( ++ llhttp__internal_t* state, ++ const unsigned char* p, ++ const unsigned char* endp) { ++ return (state->flags & 8) == 8; ++} ++ + int llhttp__internal__c_or_flags_16( + llhttp__internal_t* state, + const unsigned char* p, +@@ -7737,7 +7926,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_7( ++int llhttp__internal__c_update_header_state_8( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7745,7 +7934,7 @@ + return 0; + } + +-int llhttp__internal__c_or_flags_17( ++int llhttp__internal__c_or_flags_18( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -8432,13 +8621,13 @@ + } + switch (*p) { + case 9: { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + case ' ': { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + default: { +- goto s_n_llhttp__internal__n_invoke_load_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_4; + } + } + /* UNREACHABLE */; +@@ -8455,7 +8644,7 @@ + goto s_n_llhttp__internal__n_header_value_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_17; ++ goto s_n_llhttp__internal__n_error_18; + } + } + /* UNREACHABLE */; +@@ -8468,10 +8657,10 @@ + } + switch (*p) { + case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; + } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; + } + default: { + p++; +@@ -8481,20 +8670,27 @@ + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_error_19: ++ s_n_llhttp__internal__n_error_19: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_header_value_otherwise: + s_n_llhttp__internal__n_header_value_otherwise: { + if (p == endp) { + return s_n_llhttp__internal__n_header_value_otherwise; + } + switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; +- } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_test_flags_5; ++ goto s_n_llhttp__internal__n_invoke_test_flags_6; + } + } + /* UNREACHABLE */; +@@ -8557,10 +8753,10 @@ + } + case ',': { + p++; +- goto s_n_llhttp__internal__n_invoke_load_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_5; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_5; + } + } + /* UNREACHABLE */; +@@ -8578,7 +8774,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_2; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_3; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_1; +@@ -8602,7 +8798,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_5; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_6; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_2; +@@ -8626,7 +8822,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_6; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_7; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_3; +@@ -8671,8 +8867,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_20: +- s_n_llhttp__internal__n_error_20: { ++ case s_n_llhttp__internal__n_error_21: ++ s_n_llhttp__internal__n_error_21: { + state->error = 0xb; + state->reason = "Content-Length overflow"; + state->error_pos = (const char*) p; +@@ -8681,8 +8877,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_21: +- s_n_llhttp__internal__n_error_21: { ++ case s_n_llhttp__internal__n_error_22: ++ s_n_llhttp__internal__n_error_22: { + state->error = 0xb; + state->reason = "Invalid character in Content-Length"; + state->error_pos = (const char*) p; +@@ -8708,7 +8904,7 @@ + goto s_n_llhttp__internal__n_header_value_content_length_ws; + } + default: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6; + } + } + /* UNREACHABLE */; +@@ -8777,26 +8973,23 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_header_value_te_chunked_last: +- s_n_llhttp__internal__n_header_value_te_chunked_last: { +- if (p == endp) { +- return s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case 13: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- default: { +- goto s_n_llhttp__internal__n_header_value_te_chunked; +- } +- } ++ case s_n_llhttp__internal__n_error_24: ++ s_n_llhttp__internal__n_error_24: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_error_23: ++ s_n_llhttp__internal__n_error_23: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; + /* UNREACHABLE */; + abort(); + } +@@ -8913,8 +9106,34 @@ + goto s_n_llhttp__internal__n_header_value_te_token_ows; + } + default: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_header_value_te_chunked_last: ++ s_n_llhttp__internal__n_header_value_te_chunked_last: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ switch (*p) { ++ case 10: { + goto s_n_llhttp__internal__n_invoke_update_header_state_8; + } ++ case 13: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ } ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ case ',': { ++ goto s_n_llhttp__internal__n_invoke_load_type_1; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_header_value_te_token; ++ } + } + /* UNREACHABLE */; + abort(); +@@ -8966,7 +9185,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_header_value_discard_lws; ++ goto s_n_llhttp__internal__n_invoke_test_flags_5; + } + case 13: { + p++; +@@ -8993,7 +9212,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_2; + } + default: { +- goto s_n_llhttp__internal__n_error_22; ++ goto s_n_llhttp__internal__n_error_25; + } + } + /* UNREACHABLE */; +@@ -9083,7 +9302,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_10; + } + } + /* UNREACHABLE */; +@@ -9108,7 +9327,7 @@ + return s_n_llhttp__internal__n_header_field_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9133,7 +9352,7 @@ + return s_n_llhttp__internal__n_header_field_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9154,7 +9373,7 @@ + goto s_n_llhttp__internal__n_header_field_4; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9178,7 +9397,7 @@ + return s_n_llhttp__internal__n_header_field_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9203,7 +9422,7 @@ + return s_n_llhttp__internal__n_header_field_5; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9228,7 +9447,7 @@ + return s_n_llhttp__internal__n_header_field_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9253,7 +9472,7 @@ + return s_n_llhttp__internal__n_header_field_7; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9282,7 +9501,7 @@ + goto s_n_llhttp__internal__n_header_field_7; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9347,7 +9566,7 @@ + return s_n_llhttp__internal__n_url_skip_lf_to_http09; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_23; ++ goto s_n_llhttp__internal__n_error_26; + } + } + /* UNREACHABLE */; +@@ -9364,7 +9583,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_error_27; + } + } + /* UNREACHABLE */; +@@ -9385,7 +9604,7 @@ + goto s_n_llhttp__internal__n_req_http_end_1; + } + default: { +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_error_27; + } + } + /* UNREACHABLE */; +@@ -9448,7 +9667,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_25; ++ goto s_n_llhttp__internal__n_error_28; + } + } + /* UNREACHABLE */; +@@ -9465,7 +9684,7 @@ + goto s_n_llhttp__internal__n_req_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_26; ++ goto s_n_llhttp__internal__n_error_29; + } + } + /* UNREACHABLE */; +@@ -9528,7 +9747,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major; + } + default: { +- goto s_n_llhttp__internal__n_error_27; ++ goto s_n_llhttp__internal__n_error_30; + } + } + /* UNREACHABLE */; +@@ -9552,7 +9771,7 @@ + return s_n_llhttp__internal__n_req_http_start_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9576,7 +9795,7 @@ + return s_n_llhttp__internal__n_req_http_start_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9601,7 +9820,7 @@ + goto s_n_llhttp__internal__n_req_http_start_2; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9655,7 +9874,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_url_8; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -9712,7 +9931,7 @@ + goto s_n_llhttp__internal__n_span_end_stub_query_3; + } + default: { +- goto s_n_llhttp__internal__n_error_31; ++ goto s_n_llhttp__internal__n_error_34; + } + } + /* UNREACHABLE */; +@@ -9742,7 +9961,7 @@ + goto s_n_llhttp__internal__n_url_query; + } + default: { +- goto s_n_llhttp__internal__n_error_32; ++ goto s_n_llhttp__internal__n_error_35; + } + } + /* UNREACHABLE */; +@@ -9883,10 +10102,10 @@ + } + case 7: { + p++; +- goto s_n_llhttp__internal__n_error_33; ++ goto s_n_llhttp__internal__n_error_36; + } + default: { +- goto s_n_llhttp__internal__n_error_34; ++ goto s_n_llhttp__internal__n_error_37; + } + } + /* UNREACHABLE */; +@@ -9941,7 +10160,7 @@ + goto s_n_llhttp__internal__n_url_server_with_at; + } + default: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -9958,7 +10177,7 @@ + goto s_n_llhttp__internal__n_url_server; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -9972,22 +10191,22 @@ + switch (*p) { + case 10: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 13: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case ' ': { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case '/': { + p++; + goto s_n_llhttp__internal__n_url_schema_delim_1; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -10029,7 +10248,7 @@ + switch (lookup_table[(uint8_t) *p]) { + case 1: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 2: { + goto s_n_llhttp__internal__n_span_end_stub_schema; +@@ -10039,7 +10258,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_38; ++ goto s_n_llhttp__internal__n_error_41; + } + } + /* UNREACHABLE */; +@@ -10071,7 +10290,7 @@ + switch (lookup_table[(uint8_t) *p]) { + case 1: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 2: { + goto s_n_llhttp__internal__n_span_start_stub_path_2; +@@ -10080,7 +10299,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_39; ++ goto s_n_llhttp__internal__n_error_42; + } + } + /* UNREACHABLE */; +@@ -10136,7 +10355,7 @@ + goto s_n_llhttp__internal__n_req_spaces_before_url; + } + default: { +- goto s_n_llhttp__internal__n_error_40; ++ goto s_n_llhttp__internal__n_error_43; + } + } + /* UNREACHABLE */; +@@ -10161,7 +10380,7 @@ + return s_n_llhttp__internal__n_start_req_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10186,7 +10405,7 @@ + return s_n_llhttp__internal__n_start_req_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10211,7 +10430,7 @@ + return s_n_llhttp__internal__n_start_req_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10236,7 +10455,7 @@ + return s_n_llhttp__internal__n_start_req_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10254,7 +10473,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10275,7 +10494,7 @@ + goto s_n_llhttp__internal__n_start_req_7; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10296,7 +10515,7 @@ + goto s_n_llhttp__internal__n_start_req_5; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10321,7 +10540,7 @@ + return s_n_llhttp__internal__n_start_req_8; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10346,7 +10565,7 @@ + return s_n_llhttp__internal__n_start_req_9; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10371,7 +10590,7 @@ + return s_n_llhttp__internal__n_start_req_10; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10396,7 +10615,7 @@ + return s_n_llhttp__internal__n_start_req_12; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10421,7 +10640,7 @@ + return s_n_llhttp__internal__n_start_req_13; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10442,7 +10661,7 @@ + goto s_n_llhttp__internal__n_start_req_13; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10467,7 +10686,7 @@ + return s_n_llhttp__internal__n_start_req_15; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10492,7 +10711,7 @@ + return s_n_llhttp__internal__n_start_req_16; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10517,7 +10736,7 @@ + return s_n_llhttp__internal__n_start_req_18; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10542,7 +10761,7 @@ + return s_n_llhttp__internal__n_start_req_20; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10560,7 +10779,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10581,7 +10800,7 @@ + goto s_n_llhttp__internal__n_start_req_21; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10602,7 +10821,7 @@ + goto s_n_llhttp__internal__n_start_req_19; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10627,7 +10846,7 @@ + return s_n_llhttp__internal__n_start_req_22; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10656,7 +10875,7 @@ + goto s_n_llhttp__internal__n_start_req_22; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10681,7 +10900,7 @@ + return s_n_llhttp__internal__n_start_req_23; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10706,7 +10925,7 @@ + return s_n_llhttp__internal__n_start_req_24; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10731,7 +10950,7 @@ + return s_n_llhttp__internal__n_start_req_26; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10756,7 +10975,7 @@ + return s_n_llhttp__internal__n_start_req_27; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10781,7 +11000,7 @@ + return s_n_llhttp__internal__n_start_req_31; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10806,7 +11025,7 @@ + return s_n_llhttp__internal__n_start_req_32; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10827,7 +11046,7 @@ + goto s_n_llhttp__internal__n_start_req_32; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10844,7 +11063,7 @@ + goto s_n_llhttp__internal__n_start_req_30; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10866,7 +11085,7 @@ + goto s_n_llhttp__internal__n_start_req_29; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10891,7 +11110,7 @@ + return s_n_llhttp__internal__n_start_req_34; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10913,7 +11132,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10942,7 +11161,7 @@ + goto s_n_llhttp__internal__n_start_req_33; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10967,7 +11186,7 @@ + return s_n_llhttp__internal__n_start_req_37; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10992,7 +11211,7 @@ + return s_n_llhttp__internal__n_start_req_38; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11013,7 +11232,7 @@ + goto s_n_llhttp__internal__n_start_req_38; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11030,7 +11249,7 @@ + goto s_n_llhttp__internal__n_start_req_36; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11055,7 +11274,7 @@ + return s_n_llhttp__internal__n_start_req_40; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11080,7 +11299,7 @@ + return s_n_llhttp__internal__n_start_req_41; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11105,7 +11324,7 @@ + return s_n_llhttp__internal__n_start_req_42; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11130,7 +11349,7 @@ + goto s_n_llhttp__internal__n_start_req_42; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11155,7 +11374,7 @@ + return s_n_llhttp__internal__n_start_req_43; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11180,7 +11399,7 @@ + return s_n_llhttp__internal__n_start_req_46; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11205,7 +11424,7 @@ + return s_n_llhttp__internal__n_start_req_48; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11230,7 +11449,7 @@ + return s_n_llhttp__internal__n_start_req_49; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11251,7 +11470,7 @@ + goto s_n_llhttp__internal__n_start_req_49; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11276,7 +11495,7 @@ + return s_n_llhttp__internal__n_start_req_50; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11301,7 +11520,7 @@ + goto s_n_llhttp__internal__n_start_req_50; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11318,7 +11537,7 @@ + goto s_n_llhttp__internal__n_start_req_45; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11391,7 +11610,7 @@ + goto s_n_llhttp__internal__n_start_req_44; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11476,7 +11695,7 @@ + goto s_n_llhttp__internal__n_res_status_start; + } + default: { +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + } + /* UNREACHABLE */; +@@ -11556,7 +11775,7 @@ + goto s_n_llhttp__internal__n_invoke_update_status_code; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -11619,7 +11838,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor_1; + } + default: { +- goto s_n_llhttp__internal__n_error_44; ++ goto s_n_llhttp__internal__n_error_47; + } + } + /* UNREACHABLE */; +@@ -11636,7 +11855,7 @@ + goto s_n_llhttp__internal__n_res_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_45; ++ goto s_n_llhttp__internal__n_error_48; + } + } + /* UNREACHABLE */; +@@ -11699,7 +11918,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major_1; + } + default: { +- goto s_n_llhttp__internal__n_error_46; ++ goto s_n_llhttp__internal__n_error_49; + } + } + /* UNREACHABLE */; +@@ -11723,7 +11942,7 @@ + return s_n_llhttp__internal__n_start_res; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_49; ++ goto s_n_llhttp__internal__n_error_52; + } + } + /* UNREACHABLE */; +@@ -11748,7 +11967,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11772,7 +11991,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11793,7 +12012,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_3; + } + default: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11810,7 +12029,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11870,7 +12089,7 @@ + /* UNREACHABLE */ + abort(); + } +- s_n_llhttp__internal__n_error_36: { ++ s_n_llhttp__internal__n_error_39: { + state->error = 0x7; + state->reason = "Invalid characters in url"; + state->error_pos = (const char*) p; +@@ -12314,7 +12533,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_16: { ++ s_n_llhttp__internal__n_error_17: { + state->error = 0xb; + state->reason = "Empty Content-Length"; + state->error_pos = (const char*) p; +@@ -12399,14 +12618,51 @@ + s_n_llhttp__internal__n_invoke_load_header_state: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 2: +- goto s_n_llhttp__internal__n_error_16; ++ goto s_n_llhttp__internal__n_error_17; + default: + goto s_n_llhttp__internal__n_invoke_load_header_state_1; + } + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_error_16: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_5: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_header_value_discard_lws; ++ default: ++ goto s_n_llhttp__internal__n_error_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_update_header_state_1: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ switch (llhttp__internal__c_load_header_state(state, p, endp)) { ++ case 8: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_2: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_start; +@@ -12417,7 +12673,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_7: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12425,7 +12681,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_8: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12433,7 +12689,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_9: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12446,7 +12702,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ s_n_llhttp__internal__n_invoke_load_header_state_4: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_7; +@@ -12462,7 +12718,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_17: { ++ s_n_llhttp__internal__n_error_18: { + state->error = 0x3; + state->reason = "Missing expected LF after header value"; + state->error_pos = (const char*) p; +@@ -12480,6 +12736,24 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_header_value_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; + state->error_pos = (const char*) p; + state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; + return s_error; +@@ -12488,7 +12762,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { + const unsigned char* start; + int err; + +@@ -12506,7 +12780,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { + const unsigned char* start; + int err; + +@@ -12515,35 +12789,25 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; +- state->error_pos = (const char*) (p + 1); +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_19; + return s_error; + } +- p++; +- goto s_n_llhttp__internal__n_header_value_almost_done; ++ goto s_n_llhttp__internal__n_error_19; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_18: { +- state->error = 0xa; +- state->reason = "Invalid header value char"; +- state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_error; +- return s_error; +- /* UNREACHABLE */; +- abort(); +- } +- s_n_llhttp__internal__n_invoke_test_flags_5: { ++ s_n_llhttp__internal__n_invoke_test_flags_6: { + switch (llhttp__internal__c_test_flags_2(state, p, endp)) { + case 1: + goto s_n_llhttp__internal__n_header_value_lenient; + default: +- goto s_n_llhttp__internal__n_error_18; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ s_n_llhttp__internal__n_invoke_update_header_state_4: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection; +@@ -12554,7 +12818,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_11: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12562,7 +12826,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_12: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12570,7 +12834,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_13: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12583,7 +12847,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_4: { ++ s_n_llhttp__internal__n_invoke_load_header_state_5: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_11; +@@ -12599,39 +12863,39 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_4: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_5: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_token; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_2: { +- switch (llhttp__internal__c_update_header_state_2(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ switch (llhttp__internal__c_update_header_state_3(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_5: { +- switch (llhttp__internal__c_update_header_state_5(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_6: { ++ switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_6: { +- switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_7: { ++ switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { + const unsigned char* start; + int err; + +@@ -12641,17 +12905,17 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_20; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_21; + return s_error; + } +- goto s_n_llhttp__internal__n_error_20; ++ goto s_n_llhttp__internal__n_error_21; + /* UNREACHABLE */; + abort(); + } + s_n_llhttp__internal__n_invoke_mul_add_content_length_1: { + switch (llhttp__internal__c_mul_add_content_length_1(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; + default: + goto s_n_llhttp__internal__n_header_value_content_length; + } +@@ -12666,7 +12930,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6: { + const unsigned char* start; + int err; + +@@ -12676,14 +12940,14 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_21; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_22; + return s_error; + } +- goto s_n_llhttp__internal__n_error_21; ++ goto s_n_llhttp__internal__n_error_22; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_19: { ++ s_n_llhttp__internal__n_error_20: { + state->error = 0x4; + state->reason = "Duplicate Content-Length"; + state->error_pos = (const char*) p; +@@ -12692,26 +12956,82 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_6: { +- switch (llhttp__internal__c_test_flags_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_7: { ++ switch (llhttp__internal__c_test_flags_7(state, p, endp)) { + case 0: + goto s_n_llhttp__internal__n_header_value_content_length; + default: +- goto s_n_llhttp__internal__n_error_19; ++ goto s_n_llhttp__internal__n_error_20; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_7: { +- switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_24; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_24; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_8: { ++ switch (llhttp__internal__c_update_header_state_8(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_otherwise; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_8: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_23; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_23; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_9: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_1: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_9; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_9: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -12726,6 +13046,34 @@ + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_invoke_or_flags_17: { ++ switch (llhttp__internal__c_or_flags_16(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_and_flags; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_10: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_2: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_10; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_or_flags_16: { + switch (llhttp__internal__c_or_flags_16(state, p, endp)) { + default: +@@ -12734,10 +13082,20 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_or_flags_17: { +- switch (llhttp__internal__c_or_flags_17(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_8: { ++ switch (llhttp__internal__c_test_flags_8(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_load_type_2; + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_or_flags_18: { ++ switch (llhttp__internal__c_or_flags_18(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; + } + /* UNREACHABLE */; + abort(); +@@ -12747,11 +13105,11 @@ + case 1: + goto s_n_llhttp__internal__n_header_value_connection; + case 2: +- goto s_n_llhttp__internal__n_invoke_test_flags_6; ++ goto s_n_llhttp__internal__n_invoke_test_flags_7; + case 3: +- goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ goto s_n_llhttp__internal__n_invoke_test_flags_8; + case 4: +- goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ goto s_n_llhttp__internal__n_invoke_or_flags_18; + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -12794,7 +13152,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_22: { ++ s_n_llhttp__internal__n_error_25: { + state->error = 0xa; + state->reason = "Invalid header token"; + state->error_pos = (const char*) p; +@@ -12803,8 +13161,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_9: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_10: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -12819,8 +13177,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_10: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_11: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -12860,7 +13218,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_23: { ++ s_n_llhttp__internal__n_error_26: { + state->error = 0x7; + state->reason = "Expected CRLF"; + state->error_pos = (const char*) p; +@@ -12886,7 +13244,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_24: { ++ s_n_llhttp__internal__n_error_27: { + state->error = 0x9; + state->reason = "Expected CRLF after version"; + state->error_pos = (const char*) p; +@@ -12903,7 +13261,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_25: { ++ s_n_llhttp__internal__n_error_28: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -12912,7 +13270,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_26: { ++ s_n_llhttp__internal__n_error_29: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -12929,7 +13287,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_27: { ++ s_n_llhttp__internal__n_error_30: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -12938,7 +13296,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_29: { ++ s_n_llhttp__internal__n_error_32: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -12947,7 +13305,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_28: { ++ s_n_llhttp__internal__n_error_31: { + state->error = 0x8; + state->reason = "Expected SOURCE method for ICE/x.x request"; + state->error_pos = (const char*) p; +@@ -12959,7 +13317,7 @@ + s_n_llhttp__internal__n_invoke_is_equal_method_1: { + switch (llhttp__internal__c_is_equal_method_1(state, p, endp)) { + case 0: +- goto s_n_llhttp__internal__n_error_28; ++ goto s_n_llhttp__internal__n_error_31; + default: + goto s_n_llhttp__internal__n_req_http_major; + } +@@ -13034,7 +13392,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_30: { ++ s_n_llhttp__internal__n_error_33: { + state->error = 0x7; + state->reason = "Invalid char in url fragment start"; + state->error_pos = (const char*) p; +@@ -13094,7 +13452,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_31: { ++ s_n_llhttp__internal__n_error_34: { + state->error = 0x7; + state->reason = "Invalid char in url query"; + state->error_pos = (const char*) p; +@@ -13103,7 +13461,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_32: { ++ s_n_llhttp__internal__n_error_35: { + state->error = 0x7; + state->reason = "Invalid char in url path"; + state->error_pos = (const char*) p; +@@ -13214,7 +13572,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_33: { ++ s_n_llhttp__internal__n_error_36: { + state->error = 0x7; + state->reason = "Double @ in url"; + state->error_pos = (const char*) p; +@@ -13223,7 +13581,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_34: { ++ s_n_llhttp__internal__n_error_37: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -13232,7 +13590,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_35: { ++ s_n_llhttp__internal__n_error_38: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -13241,7 +13599,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_37: { ++ s_n_llhttp__internal__n_error_40: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -13250,7 +13608,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_38: { ++ s_n_llhttp__internal__n_error_41: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -13259,7 +13617,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_39: { ++ s_n_llhttp__internal__n_error_42: { + state->error = 0x7; + state->reason = "Unexpected start char in url"; + state->error_pos = (const char*) p; +@@ -13278,7 +13636,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_40: { ++ s_n_llhttp__internal__n_error_43: { + state->error = 0x6; + state->reason = "Expected space after method"; + state->error_pos = (const char*) p; +@@ -13295,7 +13653,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_48: { ++ s_n_llhttp__internal__n_error_51: { + state->error = 0x6; + state->reason = "Invalid method encountered"; + state->error_pos = (const char*) p; +@@ -13304,7 +13662,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_41: { ++ s_n_llhttp__internal__n_error_44: { + state->error = 0xd; + state->reason = "Response overflow"; + state->error_pos = (const char*) p; +@@ -13316,7 +13674,7 @@ + s_n_llhttp__internal__n_invoke_mul_add_status_code: { + switch (llhttp__internal__c_mul_add_status_code(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_error_41; ++ goto s_n_llhttp__internal__n_error_44; + default: + goto s_n_llhttp__internal__n_res_status_code; + } +@@ -13359,7 +13717,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_42: { ++ s_n_llhttp__internal__n_error_45: { + state->error = 0xd; + state->reason = "Invalid response status"; + state->error_pos = (const char*) p; +@@ -13376,7 +13734,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_43: { ++ s_n_llhttp__internal__n_error_46: { + state->error = 0x9; + state->reason = "Expected space after version"; + state->error_pos = (const char*) p; +@@ -13393,7 +13751,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_44: { ++ s_n_llhttp__internal__n_error_47: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -13402,7 +13760,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_45: { ++ s_n_llhttp__internal__n_error_48: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -13419,7 +13777,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_46: { ++ s_n_llhttp__internal__n_error_49: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -13428,7 +13786,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_49: { ++ s_n_llhttp__internal__n_error_52: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -13453,7 +13811,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_47: { ++ s_n_llhttp__internal__n_error_50: { + state->error = 0x8; + state->reason = "Invalid word encountered"; + state->error_pos = (const char*) p; +--- nodejs-12.22.12~dfsg/test/parallel/test-http-invalid-te.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-invalid-te.js +@@ -13,7 +13,7 @@ Content-Type: text/plain; charset=utf-8 + Host: hacker.exploit.com + Connection: keep-alive + Content-Length: 10 +-Transfer-Encoding: chunked, eee ++Transfer-Encoding: eee, chunked + + HELLOWORLDPOST / HTTP/1.1 + Content-Type: text/plain; charset=utf-8 +--- nodejs-12.22.12~dfsg/test/parallel/test-http-missing-header-separator-cr.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-missing-header-separator-cr.js +@@ -0,0 +1,83 @@ ++'use strict'; ++ ++const common = require('../common'); ++const assert = require('assert'); ++ ++const http = require('http'); ++const net = require('net'); ++ ++function serverHandler(server, msg) { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++} ++ ++{ ++ const msg = [ ++ 'GET / HTTP/1.1', ++ 'Host: localhost', ++ 'Dummy: x\nContent-Length: 23', ++ '', ++ 'GET / HTTP/1.1', ++ 'Dummy: GET /admin HTTP/1.1', ++ 'Host: localhost', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} ++ ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: localhost', ++ 'x:x\nTransfer-Encoding: chunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} ++ ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: localhost', ++ 'x:\nTransfer-Encoding: chunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} +--- /dev/null ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-repeated-chunked.js +@@ -0,0 +1,51 @@ ++'use strict'; ++ ++const common = require('../common'); ++const assert = require('assert'); ++ ++const http = require('http'); ++const net = require('net'); ++ ++const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunkedchunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++].join('\r\n'); ++ ++const server = http.createServer(common.mustCall((req, res) => { ++ // Verify that no data is received ++ ++ req.on('data', common.mustNotCall()); ++ ++ req.on('end', common.mustNotCall(() => { ++ res.writeHead(200, { 'Content-Type': 'text/plain' }); ++ res.end(); ++ })); ++}, 1)); ++ ++server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++})); +--- nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-smuggling.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-smuggling.js +@@ -1,46 +1,89 @@ + 'use strict'; + + const common = require('../common'); +- + const assert = require('assert'); ++ + const http = require('http'); + const net = require('net'); + +-const msg = [ +- 'POST / HTTP/1.1', +- 'Host: 127.0.0.1', +- 'Transfer-Encoding: chunked', +- 'Transfer-Encoding: chunked-false', +- 'Connection: upgrade', +- '', +- '1', +- 'A', +- '0', +- '', +- 'GET /flag HTTP/1.1', +- 'Host: 127.0.0.1', +- '', +- '', +-].join('\r\n'); +- +-// Verify that the server is called only once even with a smuggled request. +- +-const server = http.createServer(common.mustCall((req, res) => { +- res.end(); +-}, 1)); +- +-function send(next) { +- const client = net.connect(server.address().port, 'localhost'); +- client.setEncoding('utf8'); +- client.on('error', common.mustNotCall()); +- client.on('end', next); +- client.write(msg); +- client.resume(); ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunked', ++ 'Transfer-Encoding: chunked-false', ++ 'Connection: upgrade', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ 'GET /flag HTTP/1.1', ++ 'Host: 127.0.0.1', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall((req, res) => { ++ res.end(); ++ }, 1)); ++ ++ server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ // Verify that the server listener is never called ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++ })); + } + +-server.listen(0, common.mustCall((err) => { +- assert.ifError(err); +- send(common.mustCall(() => { +- server.close(); ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunked', ++ ' , chunked-false', ++ 'Connection: upgrade', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ 'GET /flag HTTP/1.1', ++ 'Host: 127.0.0.1', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustCall((request, response) => { ++ assert.notStrictEqual(request.url, '/admin'); ++ response.end('hello world'); ++ }), 1); ++ ++ server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ client.on('end', common.mustCall(function() { ++ server.close(); ++ })); ++ ++ client.write(msg); ++ client.resume(); + })); +-})); ++} +--- nodejs-12.22.12~dfsg/test/parallel/test-http-header-overflow.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-header-overflow.js +@@ -1,3 +1,5 @@ ++// Flags: --expose-internals ++ + 'use strict'; + const { expectsError, mustCall } = require('../common'); + const assert = require('assert'); +@@ -8,7 +10,7 @@ const CRLF = '\r\n'; + const DUMMY_HEADER_NAME = 'Cookie: '; + const DUMMY_HEADER_VALUE = 'a'.repeat( + // Plus one is to make it 1 byte too big +- maxHeaderSize - DUMMY_HEADER_NAME.length - (2 * CRLF.length) + 1 ++ maxHeaderSize - DUMMY_HEADER_NAME.length + 2 + ); + const PAYLOAD_GET = 'GET /blah HTTP/1.1'; + const PAYLOAD = PAYLOAD_GET + CRLF + +@@ -21,7 +23,7 @@ server.on('connection', mustCall((socket + name: 'Error', + message: 'Parse Error: Header overflow', + code: 'HPE_HEADER_OVERFLOW', +- bytesParsed: maxHeaderSize + PAYLOAD_GET.length, ++ bytesParsed: maxHeaderSize + PAYLOAD_GET.length + (CRLF.length * 2) + 1, + rawPacket: Buffer.from(PAYLOAD) + })); + })); diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch b/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch new file mode 100644 index 0000000000..dd21af6b3a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch @@ -0,0 +1,63 @@ +From 576aed71db7b40c90b44c623580629792a606928 Mon Sep 17 00:00:00 2001 +From: Jiawen Geng <technicalcute@gmail.com> +Date: Fri, 14 Oct 2022 09:54:33 +0800 +Subject: [PATCH] deps: V8: cherry-pick c2792e58035f +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Original commit message: + + [base] Fix build with gcc-13 + + See https://gcc.gnu.org/gcc-13/porting_to.html#header-dep-changes. + + Also see Gentoo Linux bug report: https://bugs.gentoo.org/865981 + + Change-Id: I421f396b02ba37e12ee70048ee33e034f8113566 + Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934140 + Reviewed-by: Clemens Backes <clemensb@chromium.org> + Reviewed-by: Simon Zund <szuend@chromium.org> + Commit-Queue: Clemens Backes <clemensb@chromium.org> + Cr-Commit-Position: refs/heads/main@{#83587} + +Refs: https://github.com/v8/v8/commit/c2792e58035fcbaa16d0cb70998852fbeb5df4cc +PR-URL: https://github.com/nodejs/node/pull/44961 +Fixes: https://github.com/nodejs/node/issues/43642 +Reviewed-By: Michael Zasso <targos@protonmail.com> +Reviewed-By: Richard Lau <rlau@redhat.com> +Reviewed-By: Luigi Pinca <luigipinca@gmail.com> +Reviewed-By: Colin Ihrig <cjihrig@gmail.com> + +Upstream-Status: Backport [https://github.com/nodejs/node/commit/0be1c5728173ea9ac42843058e26b6268568acf0] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + deps/v8/AUTHORS | 1 + + deps/v8/src/base/logging.h | 1 + + deps/v8/src/inspector/v8-string-conversions.h | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/deps/v8/src/base/logging.h b/deps/v8/src/base/logging.h +index 08db24a9..38be165f 100644 +--- a/deps/v8/src/base/logging.h ++++ b/deps/v8/src/base/logging.h +@@ -5,6 +5,7 @@ + #ifndef V8_BASE_LOGGING_H_ + #define V8_BASE_LOGGING_H_ + ++#include <cstdint> + #include <cstring> + #include <sstream> + #include <string> +diff --git a/deps/v8/src/inspector/v8-string-conversions.h b/deps/v8/src/inspector/v8-string-conversions.h +index c1d69c18..eb33c681 100644 +--- a/deps/v8/src/inspector/v8-string-conversions.h ++++ b/deps/v8/src/inspector/v8-string-conversions.h +@@ -5,6 +5,7 @@ + #ifndef V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ + #define V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ + ++#include <cstdint> + #include <string> + + // Conversion routines between UT8 and UTF16, used by string-16.{h,cc}. You may diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch new file mode 100644 index 0000000000..cdf6bc8e23 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch @@ -0,0 +1,21 @@ +Link mksnapshot with libatomic on x86 + +Clang-12 on x86 emits atomic builtins + +Fixes +| module-compiler.cc:(.text._ZN2v88internal4wasm12_GLOBAL__N_123ExecuteCompilationUnitsERKSt10shared_ptrINS2_22BackgroundCompileTokenEEPNS0_8CountersEiNS2_19CompileBaselineOnlyE+0x558): un +defined reference to `__atomic_load' + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -1336,6 +1336,7 @@ + { + 'target_name': 'mksnapshot', + 'type': 'executable', ++ 'libraries': [ '-latomic' ], + 'dependencies': [ + 'v8_base_without_compiler', + 'v8_compiler_for_mksnapshot', diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch new file mode 100644 index 0000000000..21a2281231 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch @@ -0,0 +1,32 @@ +Description: mksnapshot uses too much memory on 32-bit mipsel +Author: Jérémy Lal <kapouer@melix.org> +Last-Update: 2020-06-03 +Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586 + +This ensures that we reserve 500M instead of 2G range for codegen +ensures that qemu-mips can allocate such large ranges + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/deps/v8/src/common/globals.h ++++ b/deps/v8/src/common/globals.h +@@ -224,7 +224,7 @@ constexpr size_t kMinimumCodeRangeSize = + constexpr size_t kMinExpectedOSPageSize = 64 * KB; // OS page on PPC Linux + #elif V8_TARGET_ARCH_MIPS + constexpr bool kPlatformRequiresCodeRange = false; +-constexpr size_t kMaximalCodeRangeSize = 2048LL * MB; ++constexpr size_t kMaximalCodeRangeSize = 512 * MB; + constexpr size_t kMinimumCodeRangeSize = 0 * MB; + constexpr size_t kMinExpectedOSPageSize = 4 * KB; // OS page. + #else +--- a/deps/v8/src/codegen/mips/constants-mips.h ++++ b/deps/v8/src/codegen/mips/constants-mips.h +@@ -140,7 +140,7 @@ const uint32_t kLeastSignificantByteInIn + namespace v8 { + namespace internal { + +-constexpr size_t kMaxPCRelativeCodeRangeInMB = 4096; ++constexpr size_t kMaxPCRelativeCodeRangeInMB = 1024; + + // ----------------------------------------------------------------------------- + // Registers and FPURegisters. diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch b/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch new file mode 100644 index 0000000000..588ffc1eee --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch @@ -0,0 +1,46 @@ +From e4d6f2e4091a4c7b6f3281be0e281b32ee6e5a33 Mon Sep 17 00:00:00 2001 +From: Christian Clauss <cclauss@me.com> +Date: Thu, 26 Nov 2020 12:39:11 +0100 +Subject: [PATCH] Fix ValueError: invalid mode: 'rU' while trying to load + binding.gyp + +Fixes nodejs/node-gyp#2219 +File mode `U` is deprecated in Python 3 https://docs.python.org/3/library/functions.html#open +https://github.com/asottile/pyupgrade#redundant-open-modes + +Upstream-Status: Backport [https://github.com/nodejs/gyp-next/commit/3f8cb33ea4d191df41f4fb7a1dfbd302507f7260] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py | 2 +- + tools/gyp/pylib/gyp/input.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py +index d174280..2f34bc0 100644 +--- a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py ++++ b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py +@@ -226,7 +226,7 @@ def LoadOneBuildFile(build_file_path, data, aux_data, includes, + # Open the build file for read ('r') with universal-newlines mode ('U') + # to make sure platform specific newlines ('\r\n' or '\r') are converted to '\n' + # which otherwise will fail eval() +- if sys.platform == 'zos': ++ if PY3 or sys.platform == 'zos': + # On z/OS, universal-newlines mode treats the file as an ascii file. But since + # node-gyp produces ebcdic files, do not use that mode. + build_file_contents = open(build_file_path, 'r').read() +diff --git a/tools/gyp/pylib/gyp/input.py b/tools/gyp/pylib/gyp/input.py +index 1f40abb..fd12e78 100644 +--- a/tools/gyp/pylib/gyp/input.py ++++ b/tools/gyp/pylib/gyp/input.py +@@ -226,7 +226,7 @@ def LoadOneBuildFile(build_file_path, data, aux_data, includes, + # Open the build file for read ('r') with universal-newlines mode ('U') + # to make sure platform specific newlines ('\r\n' or '\r') are converted to '\n' + # which otherwise will fail eval() +- if sys.platform == 'zos': ++ if PY3 or sys.platform == 'zos': + # On z/OS, universal-newlines mode treats the file as an ascii file. But since + # node-gyp produces ebcdic files, do not use that mode. + build_file_contents = open(build_file_path, 'r').read() +-- +2.38.1 + diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb index 0673a3202d..f004671a6e 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb @@ -1,7 +1,7 @@ DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" HOMEPAGE = "http://nodejs.org" LICENSE = "MIT & BSD & Artistic-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93997aa7a45ba0f25f9c61aaab153ab8" DEPENDS = "openssl" DEPENDS_append_class-target = " nodejs-native" @@ -22,14 +22,22 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://big-endian.patch \ file://mips-warnings.patch \ file://0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch \ + file://CVE-2022-32212.patch \ + file://CVE-2022-35255.patch \ + file://CVE-2022-43548.patch \ + file://CVE-llhttp.patch \ + file://python-3.11-invalid-mode-rU.patch \ + file://gcc13.patch \ " SRC_URI_append_class-target = " \ file://0002-Using-native-binaries.patch \ " -SRC_URI[sha256sum] = "e00eee325d705b2bfa9929b7d061eb2315402d7e8548945eac9870bf84321853" +SRC_URI[sha256sum] = "bc42b7f8495b9bfc7f7850dd180bb02a5bdf139cc232b8c6f02a6967e20714f2" S = "${WORKDIR}/node-v${PV}" +CVE_PRODUCT += "node.js" + # v8 errors out if you have set CCACHE CCACHE = "" diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb new file mode 100644 index 0000000000..b64a57f941 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb @@ -0,0 +1,211 @@ +DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" +HOMEPAGE = "http://nodejs.org" +LICENSE = "MIT & BSD & Artistic-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6768abdfc4dae4fde59d6b4df96930f3" + +DEFAULT_PREFERENCE = "-1" + +DEPENDS = "openssl" +DEPENDS:append:class-target = " qemu-native" +DEPENDS:append:class-native = " c-ares-native" + +inherit pkgconfig python3native qemu + +COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*" +COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" + +COMPATIBLE_HOST:riscv64 = "null" +COMPATIBLE_HOST:riscv32 = "null" + +SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ + file://0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch \ + file://0003-Install-both-binaries-and-use-libdir-nodejs14.patch \ + file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://big-endian.patch \ + file://mips-warnings.patch \ + file://mips-less-memory-nodejs14.patch \ + file://0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch \ + file://CVE-2022-32212.patch \ + file://CVE-2022-35255.patch \ + file://CVE-2022-43548.patch \ + file://gcc13.patch \ + " +SRC_URI:append:class-target = " \ + file://0002-Using-native-binaries-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:x86 = " \ + file://libatomic-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:powerpc64le = " \ + file://0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch \ + " +SRC_URI[sha256sum] = "3fa1d71adddfab2f5e3e41874b4eddbdf92b65cade4a43922fb1e437afcf89ed" + +S = "${WORKDIR}/node-v${PV}" + +CVE_PRODUCT += "node.js" + +# v8 errors out if you have set CCACHE +CCACHE = "" + +def map_nodejs_arch(a, d): + import re + + if re.match('i.86$', a): return 'ia32' + elif re.match('x86_64$', a): return 'x64' + elif re.match('aarch64$', a): return 'arm64' + elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64' + elif re.match('powerpc$', a): return 'ppc' + return a + +ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ + '--with-arm-fpu=vfp', d), d), d)}" +GYP_DEFINES:append:mipsel = " mips_arch_variant='r1' " +ARCHFLAGS ?= "" + +PACKAGECONFIG ??= "brotli icu zlib" + +PACKAGECONFIG[ares] = "--shared-cares,,c-ares" +PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" +PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" +PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" +PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" +PACKAGECONFIG[shared] = "--shared" +PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" + +# We don't want to cross-compile during target compile, +# and we need to use the right flags during host compile, +# too. +EXTRA_OEMAKE = "\ + CC.host='${CC}' \ + CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ + CXX.host='${CXX}' \ + CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ + LDFLAGS.host='${LDFLAGS}' \ + AR.host='${AR}' \ + \ + builddir_name=./ \ +" + +python do_unpack() { + import shutil + + bb.build.exec_func('base_do_unpack', d) + + if 'ares' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/cares', True) + if 'brotli' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/brotli', True) + if 'libuv' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/uv', True) + if 'nghttp2' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True) + if 'zlib' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/zlib', True) +} + +# V8's JIT infrastructure requires binaries such as mksnapshot and +# mkpeephole to be run in the host during the build. However, these +# binaries must have the same bit-width as the target (e.g. a x86_64 +# host targeting ARMv6 needs to produce a 32-bit binary). Instead of +# depending on a third Yocto toolchain, we just build those binaries +# for the target and run them on the host with QEMU. +python do_create_v8_qemu_wrapper () { + """Creates a small wrapper that invokes QEMU to run some target V8 binaries + on the host.""" + qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'), + d.expand('${STAGING_DIR_HOST}${base_libdir}')] + qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST', True), + qemu_libdirs) + wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh') + with open(wrapper_path, 'w') as wrapper_file: + wrapper_file.write("""#!/bin/sh + +# This file has been generated automatically. +# It invokes QEMU to run binaries built for the target in the host during the +# build process. + +%s "$@" +""" % qemu_cmd) + os.chmod(wrapper_path, 0o755) +} + +do_create_v8_qemu_wrapper[dirs] = "${B}" +addtask create_v8_qemu_wrapper after do_configure before do_compile + +# Work around compatibility issues with gcc-13 on host +BUILD_CXXFLAGS += "-fpermissive" + +LDFLAGS:append:x86 = " -latomic" + +# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi +do_configure () { + export LD="${CXX}" + GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES + # $TARGET_ARCH settings don't match --dest-cpu settings + python3 configure.py --prefix=${prefix} --cross-compiling \ + --without-dtrace \ + --without-etw \ + --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ + --dest-os=linux \ + --libdir=${D}${libdir} \ + ${ARCHFLAGS} \ + ${PACKAGECONFIG_CONFARGS} +} + +do_compile () { + export LD="${CXX}" + install -Dm 0755 ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh + oe_runmake BUILDTYPE=Release +} + +do_install () { + oe_runmake install DESTDIR=${D} + + # wasn't updated since 2009 and is the only thing requiring python2 in runtime + # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS:nodejs-npm? [file-rdeps] + rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples +} + +do_install:append:class-native() { + # use node from PATH instead of absolute path to sysroot + # node-v0.10.25/tools/install.py is using: + # shebang = os.path.join(node_prefix, 'bin/node') + # update_shebang(link_path, shebang) + # and node_prefix can be very long path to bindir in native sysroot and + # when it exceeds 128 character shebang limit it's stripped to incorrect path + # and npm fails to execute like in this case with 133 characters show in log.do_install: + # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node + # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js + # use sed on npm-cli.js because otherwise symlink is replaced with normal file and + # npm-cli.js continues to use old shebang + sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js + + # Install the native binaries to provide it within sysroot for the target compilation + install -d ${D}${bindir} + install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque + install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator + if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then + install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case + fi + install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache + install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot +} + +do_install:append:class-target() { + sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js +} + +PACKAGES =+ "${PN}-npm" +FILES:${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx" +RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \ + python3-misc python3-multiprocessing" + +PACKAGES =+ "${PN}-systemtap" +FILES:${PN}-systemtap = "${datadir}/systemtap" + +BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-devtools/openocd/openocd_git.bb b/meta-oe/recipes-devtools/openocd/openocd_git.bb index e95f1cfa54..9ff23d17af 100644 --- a/meta-oe/recipes-devtools/openocd/openocd_git.bb +++ b/meta-oe/recipes-devtools/openocd/openocd_git.bb @@ -5,10 +5,10 @@ DEPENDS = "libusb-compat libftdi" RDEPENDS_${PN} = "libusb1" SRC_URI = " \ - git://repo.or.cz/openocd.git;protocol=http;name=openocd \ - git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl \ - git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl \ - git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink \ + git://repo.or.cz/openocd.git;protocol=http;name=openocd;branch=master \ + git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl;branch=master \ + git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl;branch=master \ + git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink;branch=master \ file://0001-Do-not-include-syscrtl.h-with-glibc.patch \ " diff --git a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb index 107d5a8b72..84f6c3ce24 100644 --- a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb +++ b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263" COMPATIBLE_HOST = "(x86_64|aarch64|arm)" SRCREV = "09724edb1783a98da2b7ae53c5aaa87493aabc9b" -SRC_URI = "git://github.com/billfarrow/pcimem.git " +SRC_URI = "git://github.com/billfarrow/pcimem.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb index c812ae1374..03812e901b 100644 --- a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb +++ b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb @@ -9,7 +9,7 @@ LICENSE = "Artistic-1.0 | GPL-1.0+" LIC_FILES_CHKSUM = "file://LICENSE;md5=0ebd37caf53781e8b7223e6b99b63f4e" DEPENDS = "perl" -SRC_URI = "git://github.com/toddr/IPC-Run.git" +SRC_URI = "git://github.com/toddr/IPC-Run.git;branch=master;protocol=https" SRCREV = "0b409702490729eeb97ae65f5b94d949ec083134" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb index 049dc665dd..760c0ad0a5 100644 --- a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb +++ b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb @@ -15,7 +15,7 @@ DEPENDS += "libdev-checklib-perl-native libdbi-perl-native libmysqlclient" LIC_FILES_CHKSUM = "file://LICENSE;md5=d0a06964340e5c0cde88b7af611f755c" SRCREV = "9b5b70ea372f49fe9bc9e592dae3870596d1e3d6" -SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https" +SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch b/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch new file mode 100644 index 0000000000..b41bbe0a50 --- /dev/null +++ b/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch @@ -0,0 +1,56 @@ +Backport patch to fix CVE-2014-10402. + +CVE: CVE-2014-10402 +Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1] + +Ref: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + + +From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001 +From: Jens Rehsack <sno@netbsd.org> +Date: Tue, 6 Oct 2020 10:22:17 +0200 +Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401 + +Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and +figure out that DBI->parse_dsn is the wrong helper to parse our attributes in +DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes +parse_dsn to bailout. + +Parsing on our own similar to parse_dsn shows the way out. + +Signed-off-by: Jens Rehsack <sno@netbsd.org> +--- + lib/DBD/File.pm | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm +index fb14e9a..f55076f 100644 +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -109,7 +109,11 @@ sub connect + # We do not (yet) care about conflicting attributes here + # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" }); + # will test here that both test and text should exist +- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) { ++ # ++ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter. ++ if ($dbname) { ++ my @attrs = split /;/ => $dbname; ++ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs }; + if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) { + my $msg = "No such directory '$attr_hash->{f_dir}"; + $drh->set_err (2, $msg); +@@ -120,7 +124,6 @@ sub connect + if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) { + my $msg = "No such directory '$attr->{f_dir}"; + $drh->set_err (2, $msg); +- $attr->{RaiseError} and croak $msg; + return; + } + +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb b/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb index 75fad46bfd..c8abae628f 100644 --- a/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb +++ b/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb @@ -9,7 +9,9 @@ SECTION = "libs" LICENSE = "Artistic-1.0 | GPL-1.0+" LIC_FILES_CHKSUM = "file://LICENSE;md5=10982c7148e0a012c0fd80534522f5c5" -SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz" +SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz \ + file://CVE-2014-10402.patch \ + " SRC_URI[md5sum] = "352f80b1e23769c116082a90905d7398" SRC_URI[sha256sum] = "8a2b993db560a2c373c174ee976a51027dd780ec766ae17620c20393d2e836fa" diff --git a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb index 4e5a8a6ff2..29bc99e141 100644 --- a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb +++ b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://README;beginline=1171;endline=1176;md5=3be2cb8159d094 DEPENDS += "perl" -SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https" +SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https;branch=master" SRCREV = "42a6324df654e92419512cee80c0b49155d9e56d" diff --git a/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch b/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch deleted file mode 100644 index 0cf4d5ed60..0000000000 --- a/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch +++ /dev/null @@ -1,158 +0,0 @@ -Subject: Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption - for a 12 bytes IV) - ---- - ext/openssl/openssl.c | 10 ++++----- - ext/openssl/tests/cipher_tests.inc | 21 +++++++++++++++++ - ext/openssl/tests/openssl_decrypt_ccm.phpt | 22 +++++++++++------- - ext/openssl/tests/openssl_encrypt_ccm.phpt | 26 ++++++++++++++-------- - 4 files changed, 57 insertions(+), 22 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 04cb9b0f..fdad2c3b 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6521,11 +6521,6 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir - { - char *iv_new; - -- /* Best case scenario, user behaved */ -- if (*piv_len == iv_required_len) { -- return SUCCESS; -- } -- - if (mode->is_aead) { - if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) { - php_error_docref(NULL, E_WARNING, "Setting of IV length for AEAD mode failed"); -@@ -6534,6 +6529,11 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir - return SUCCESS; - } - -+ /* Best case scenario, user behaved */ -+ if (*piv_len == iv_required_len) { -+ return SUCCESS; -+ } -+ - iv_new = ecalloc(1, iv_required_len + 1); - - if (*piv_len == 0) { -diff --git a/ext/openssl/tests/cipher_tests.inc b/ext/openssl/tests/cipher_tests.inc -index b1e46b41..779bfa85 100644 ---- a/ext/openssl/tests/cipher_tests.inc -+++ b/ext/openssl/tests/cipher_tests.inc -@@ -1,5 +1,26 @@ - <?php - $php_openssl_cipher_tests = array( -+ 'aes-128-ccm' => array( -+ array( -+ 'key' => '404142434445464748494a4b4c4d4e4f', -+ 'iv' => '1011121314151617', -+ 'aad' => '000102030405060708090a0b0c0d0e0f', -+ 'tag' => '1fc64fbfaccd', -+ 'pt' => '202122232425262728292a2b2c2d2e2f', -+ 'ct' => 'd2a1f0e051ea5f62081a7792073d593d', -+ ), -+ array( -+ 'key' => '404142434445464748494a4b4c4d4e4f', -+ 'iv' => '101112131415161718191a1b', -+ 'aad' => '000102030405060708090a0b0c0d0e0f' . -+ '10111213', -+ 'tag' => '484392fbc1b09951', -+ 'pt' => '202122232425262728292a2b2c2d2e2f' . -+ '3031323334353637', -+ 'ct' => 'e3b201a9f5b71a7a9b1ceaeccd97e70b' . -+ '6176aad9a4428aa5', -+ ), -+ ), - 'aes-256-ccm' => array( - array( - 'key' => '1bde3251d41a8b5ea013c195ae128b21' . -diff --git a/ext/openssl/tests/openssl_decrypt_ccm.phpt b/ext/openssl/tests/openssl_decrypt_ccm.phpt -index a5f01b87..08ef5bb7 100644 ---- a/ext/openssl/tests/openssl_decrypt_ccm.phpt -+++ b/ext/openssl/tests/openssl_decrypt_ccm.phpt -@@ -10,14 +10,16 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods())) - --FILE-- - <?php - require_once __DIR__ . "/cipher_tests.inc"; --$method = 'aes-256-ccm'; --$tests = openssl_get_cipher_tests($method); -+$methods = ['aes-128-ccm', 'aes-256-ccm']; - --foreach ($tests as $idx => $test) { -- echo "TEST $idx\n"; -- $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, -- $test['iv'], $test['tag'], $test['aad']); -- var_dump($test['pt'] === $pt); -+foreach ($methods as $method) { -+ $tests = openssl_get_cipher_tests($method); -+ foreach ($tests as $idx => $test) { -+ echo "$method - TEST $idx\n"; -+ $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, -+ $test['iv'], $test['tag'], $test['aad']); -+ var_dump($test['pt'] === $pt); -+ } - } - - // no IV -@@ -32,7 +34,11 @@ var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - - ?> - --EXPECTF-- --TEST 0 -+aes-128-ccm - TEST 0 -+bool(true) -+aes-128-ccm - TEST 1 -+bool(true) -+aes-256-ccm - TEST 0 - bool(true) - - Warning: openssl_decrypt(): Setting of IV length for AEAD mode failed in %s on line %d -diff --git a/ext/openssl/tests/openssl_encrypt_ccm.phpt b/ext/openssl/tests/openssl_encrypt_ccm.phpt -index fb5dbbc8..8c4c41f8 100644 ---- a/ext/openssl/tests/openssl_encrypt_ccm.phpt -+++ b/ext/openssl/tests/openssl_encrypt_ccm.phpt -@@ -10,15 +10,17 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods())) - --FILE-- - <?php - require_once __DIR__ . "/cipher_tests.inc"; --$method = 'aes-256-ccm'; --$tests = openssl_get_cipher_tests($method); -+$methods = ['aes-128-ccm', 'aes-256-ccm']; - --foreach ($tests as $idx => $test) { -- echo "TEST $idx\n"; -- $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA, -- $test['iv'], $tag, $test['aad'], strlen($test['tag'])); -- var_dump($test['ct'] === $ct); -- var_dump($test['tag'] === $tag); -+foreach ($methods as $method) { -+ $tests = openssl_get_cipher_tests($method); -+ foreach ($tests as $idx => $test) { -+ echo "$method - TEST $idx\n"; -+ $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA, -+ $test['iv'], $tag, $test['aad'], strlen($test['tag'])); -+ var_dump($test['ct'] === $ct); -+ var_dump($test['tag'] === $tag); -+ } - } - - // Empty IV error -@@ -32,7 +34,13 @@ var_dump(strlen($tag)); - var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 16), $tag, '', 1024)); - ?> - --EXPECTF-- --TEST 0 -+aes-128-ccm - TEST 0 -+bool(true) -+bool(true) -+aes-128-ccm - TEST 1 -+bool(true) -+bool(true) -+aes-256-ccm - TEST 0 - bool(true) - bool(true) - --- -2.25.1 - diff --git a/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch b/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch deleted file mode 100644 index e5b527f989..0000000000 --- a/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: Patch fix-urldecode for HTTP related Bug #79699 - ---- - main/php_variables.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/main/php_variables.c b/main/php_variables.c -index 1a40c2a1..cbdc7cf1 100644 ---- a/main/php_variables.c -+++ b/main/php_variables.c -@@ -514,7 +514,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data) - } - - val = estrndup(val, val_len); -- php_url_decode(var, strlen(var)); -+ if (arg != PARSE_COOKIE) { -+ php_url_decode(var, strlen(var)); -+ } - if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) { - php_register_variable_safe(var, val, new_val_len, &array); - } --- -2.25.1 - diff --git a/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch b/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch new file mode 100644 index 0000000000..4bfd94c9fd --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch @@ -0,0 +1,48 @@ +From 789a37f14405e2d1a05a76c9fb4ed2d49d4580d5 Mon Sep 17 00:00:00 2001 +From: guoyiyuan <yguoaz@gmail.com> +Date: Wed, 13 Jul 2022 20:55:51 +0800 +Subject: [PATCH] Prevent potential buffer overflow for large value of + php_cli_server_workers_max + +Fixes #8989. +Closes #9000 + +Upstream-Status: Backport [https://github.com/php/php-src/commit/789a37f14405e2d1a05a76c9fb4ed2d49d4580d5] +CVE: CVE-2022-4900 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + sapi/cli/php_cli_server.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c +index c3097861..48f8309d 100644 +--- a/sapi/cli/php_cli_server.c ++++ b/sapi/cli/php_cli_server.c +@@ -517,13 +517,8 @@ static int sapi_cli_server_startup(sapi_module_struct *sapi_module) /* {{{ */ + if (php_cli_server_workers_max > 1) { + zend_long php_cli_server_worker; + +- php_cli_server_workers = calloc( +- php_cli_server_workers_max, sizeof(pid_t)); +- if (!php_cli_server_workers) { +- php_cli_server_workers_max = 1; +- +- return SUCCESS; +- } ++ php_cli_server_workers = pecalloc( ++ php_cli_server_workers_max, sizeof(pid_t), 1); + + php_cli_server_master = getpid(); + +@@ -2361,7 +2356,7 @@ static void php_cli_server_dtor(php_cli_server *server) /* {{{ */ + !WIFSIGNALED(php_cli_server_worker_status)); + } + +- free(php_cli_server_workers); ++ pefree(php_cli_server_workers, 1); + } + #endif + } /* }}} */ +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch new file mode 100644 index 0000000000..db9e41796c --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch @@ -0,0 +1,87 @@ +From ac4254ad764c70cb1f05c9270d8d12689fc3aeb6 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sun, 16 Apr 2023 15:05:03 +0200 +Subject: [PATCH] Fix missing randomness check and insufficient random bytes + for SOAP HTTP Digest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If php_random_bytes_throw fails, the nonce will be uninitialized, but +still sent to the server. The client nonce is intended to protect +against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], +and bullet point 2 below. + +Tim pointed out that even though it's the MD5 of the nonce that gets sent, +enumerating 31 bits is trivial. So we have still a stack information leak +of 31 bits. + +Furthermore, Tim found the following issues: +* The small size of cnonce might cause the server to erroneously reject + a request due to a repeated (cnonce, nc) pair. As per the birthday + problem 31 bits of randomness will return a duplication with 50% + chance after less than 55000 requests and nc always starts counting at 1. +* The cnonce is intended to protect the client and password against a + malicious server that returns a constant server nonce where the server + precomputed a rainbow table between passwords and correct client response. + As storage is fairly cheap, a server could precompute the client responses + for (a subset of) client nonces and still have a chance of reversing the + client response with the same probability as the cnonce duplication. + + Precomputing the rainbow table for all 2^31 cnonces increases the rainbow + table size by factor 2 billion, which is infeasible. But precomputing it + for 2^14 cnonces only increases the table size by factor 16k and the server + would still have a 10% chance of successfully reversing a password with a + single client request. + +This patch fixes the issues by increasing the nonce size, and checking +the return value of php_random_bytes_throw(). In the process we also get +rid of the MD5 hashing of the nonce. + +[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 + +Co-authored-by: Tim Düsterhus <timwolla@php.net> + +Upstream-Status: Backport [https://github.com/php/php-src/commit/ac4254ad764c70cb1f05c9270d8d12689fc3aeb6] +CVE: CVE-2023-3247 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + ext/soap/php_http.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 1da286ad875f..e796dba9619a 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -664,18 +664,23 @@ int make_http_soap_request(zval *this_ptr, + if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) { + if (Z_TYPE_P(digest) == IS_ARRAY) { + char HA1[33], HA2[33], response[33], cnonce[33], nc[9]; +- zend_long nonce; ++ unsigned char nonce[16]; + PHP_MD5_CTX md5ctx; + unsigned char hash[16]; + +- php_random_bytes_throw(&nonce, sizeof(nonce)); +- nonce &= 0x7fffffff; ++ if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { ++ ZEND_ASSERT(EG(exception)); ++ php_stream_close(stream); ++ convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr)); ++ convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr)); ++ convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr)); ++ smart_str_free(&soap_headers_z); ++ smart_str_free(&soap_headers); ++ return FALSE; ++ } + +- PHP_MD5Init(&md5ctx); +- snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, nonce); +- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce)); +- PHP_MD5Final(hash, &md5ctx); +- make_digest(cnonce, hash); ++ php_hash_bin2hex(cnonce, nonce, sizeof(nonce)); ++ cnonce[32] = 0; + + if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL && + Z_TYPE_P(tmp) == IS_LONG) { diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch new file mode 100644 index 0000000000..80c1961aa1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch @@ -0,0 +1,29 @@ +From 32c7c433ac1983c4497349051681a4f361d3d33e Mon Sep 17 00:00:00 2001 +From: Pierrick Charron <pierrick@php.net> +Date: Tue, 6 Jun 2023 18:49:32 -0400 +Subject: [PATCH] Fix wrong backporting of previous soap patch + +Upstream-Status: Backport [https://github.com/php/php-src/commit/32c7c433ac1983c4497349051681a4f361d3d33e] +CVE: CVE-2023-3247 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + ext/soap/php_http.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 77ed21d4f0f4..37250a6bdcd1 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -672,9 +672,9 @@ int make_http_soap_request(zval *this_ptr, + if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { + ZEND_ASSERT(EG(exception)); + php_stream_close(stream); +- convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr)); +- convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr)); +- convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr)); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1); + smart_str_free(&soap_headers_z); + smart_str_free(&soap_headers); + return FALSE; diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch new file mode 100644 index 0000000000..953b5258e1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch @@ -0,0 +1,91 @@ +From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Mon, 10 Jul 2023 13:25:34 +0200 +Subject: [PATCH] Fix buffer mismanagement in phar_dir_read() + +Fixes GHSA-jqcx-ccgc-xwhv. + +Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef] +CVE: CVE-2023-3824 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + ext/phar/dirstream.c | 15 ++++++++------ + ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++ + 2 files changed, 36 insertions(+), 6 deletions(-) + create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt + +diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c +index 4710703c..490b1452 100644 +--- a/ext/phar/dirstream.c ++++ b/ext/phar/dirstream.c +@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend + */ + static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */ + { +- size_t to_read; + HashTable *data = (HashTable *)stream->abstract; + zend_string *str_key; + zend_ulong unused; + ++ if (count != sizeof(php_stream_dirent)) { ++ return -1; ++ } ++ + if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) { + return 0; + } + + zend_hash_move_forward(data); +- to_read = MIN(ZSTR_LEN(str_key), count); + +- if (to_read == 0 || count < ZSTR_LEN(str_key)) { ++ php_stream_dirent *dirent = (php_stream_dirent *) buf; ++ ++ if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) { + return 0; + } + +- memset(buf, 0, sizeof(php_stream_dirent)); +- memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read); +- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0'; ++ memset(dirent, 0, sizeof(php_stream_dirent)); ++ PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key)); + + return sizeof(php_stream_dirent); + } +diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt +new file mode 100644 +index 00000000..4e12f05f +--- /dev/null ++++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read()) ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--INI-- ++phar.readonly=0 ++--FILE-- ++<?php ++$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); ++$phar->startBuffering(); ++$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.'); ++$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.'); ++$phar->stopBuffering(); ++ ++$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar'); ++var_dump(strlen(readdir($handle))); ++// Must not be a string of length PHP_MAXPATHLEN+1 ++var_dump(readdir($handle)); ++closedir($handle); ++?> ++--CLEAN-- ++<?php ++unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); ++?> ++--EXPECTF-- ++int(%d) ++bool(false) +-- +2.24.4 + diff --git a/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb index 16fc311b0e..74606e4883 100644 --- a/meta-oe/recipes-devtools/php/php_7.4.9.bb +++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.php.net" SECTION = "console/network" LICENSE = "PHP-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=7e571b888d585b31f9ef5edcc647fa30" +LIC_FILES_CHKSUM = "file://LICENSE;md5=99532e0f6620bc9bca34f12fadaee33c" BBCLASSEXTEND = "native" DEPENDS = "zlib bzip2 libxml2 virtual/libiconv php-native lemon-native" @@ -16,6 +16,8 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://debian-php-fixheader.patch \ file://0001-configure.ac-don-t-include-build-libtool.m4.patch \ file://0001-php.m4-don-t-unset-cache-variables.patch \ + file://CVE-2023-3824.patch \ + file://CVE-2022-4900.patch \ " SRC_URI_append_class-target = " \ @@ -30,13 +32,13 @@ SRC_URI_append_class-target = " \ file://phar-makefile.patch \ file://0001-opcache-config.m4-enable-opcache.patch \ file://xfail_two_bug_tests.patch \ - file://CVE-2020-7070.patch \ - file://CVE-2020-7069.patch \ + file://CVE-2023-3247-1.patch \ + file://CVE-2023-3247-2.patch \ " S = "${WORKDIR}/php-${PV}" -SRC_URI[md5sum] = "e68a66c54b080d108831f6dc2e1e403d" -SRC_URI[sha256sum] = "2e270958a4216480da7886743438ccc92b6acf32ea96fefda88d07e0a5095deb" +SRC_URI[sha256sum] = "4e8117458fe5a475bf203128726b71bcbba61c42ad463dffadee5667a198a98a" + inherit autotools pkgconfig python3native gettext @@ -204,7 +206,7 @@ php_sysroot_preprocess () { MODPHP_PACKAGE = "${@bb.utils.contains('PACKAGECONFIG', 'apache2', '${PN}-modphp', '', d)}" -PACKAGES = "${PN}-dbg ${PN}-cli ${PN}-cgi ${PN}-fpm ${PN}-fpm-apache2 ${PN}-pear ${PN}-phar ${MODPHP_PACKAGE} ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-opcache ${PN}" +PACKAGES = "${PN}-dbg ${PN}-cli ${PN}-phpdbg ${PN}-cgi ${PN}-fpm ${PN}-fpm-apache2 ${PN}-pear ${PN}-phar ${MODPHP_PACKAGE} ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-opcache ${PN}" RDEPENDS_${PN} += "libgcc" RDEPENDS_${PN}-pear = "${PN}" @@ -213,6 +215,8 @@ RDEPENDS_${PN}-cli = "${PN}" RDEPENDS_${PN}-modphp = "${PN} apache2" RDEPENDS_${PN}-opcache = "${PN}" +ALLOW_EMPTY_${PN} = "1" + INITSCRIPT_PACKAGES = "${PN}-fpm" inherit update-rc.d @@ -220,6 +224,7 @@ FILES_${PN}-dbg =+ "${bindir}/.debug \ ${libexecdir}/apache2/modules/.debug" FILES_${PN}-doc += "${PHP_LIBDIR}/php/doc" FILES_${PN}-cli = "${bindir}/php" +FILES_${PN}-phpdbg = "${bindir}/phpdbg" FILES_${PN}-phar = "${bindir}/phar*" FILES_${PN}-cgi = "${bindir}/php-cgi" FILES_${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${systemd_unitdir}/system/php-fpm.service ${sysconfdir}/php-fpm.d/www.conf.default" diff --git a/meta-oe/recipes-devtools/ply/ply_git.bb b/meta-oe/recipes-devtools/ply/ply_git.bb index 7d693b36da..bf789488d7 100644 --- a/meta-oe/recipes-devtools/ply/ply_git.bb +++ b/meta-oe/recipes-devtools/ply/ply_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "bison-native" -SRC_URI = "git://github.com/iovisor/ply" +SRC_URI = "git://github.com/iovisor/ply;branch=master;protocol=https" SRCREV = "aa5b9ac31307ec1acece818be334ef801c802a12" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb index 9afcbbb7f5..f605d2c90d 100644 --- a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb +++ b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" PV = "20130209+git${SRCPV}" -SRC_URI = "git://github.com/anyc/pmtools.git \ +SRC_URI = "git://github.com/anyc/pmtools.git;branch=master;protocol=https \ file://pmtools-switch-to-dynamic-buffer-for-huge-ACPI-table.patch \ " SRCREV = "3ebe0e54c54061b4c627236cbe35d820de2e1168" diff --git a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb index ed8773443e..7bc1f23e70 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb @@ -14,7 +14,7 @@ DEPENDS = "protobuf-native protobuf" SRCREV = "f20a3fa131c275a0e795d99a28f94b4dbbb5af26" -SRC_URI = "git://github.com/protobuf-c/protobuf-c.git \ +SRC_URI = "git://github.com/protobuf-c/protobuf-c.git;branch=master;protocol=https \ file://0001-avoid-race-condition.patch \ " diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch new file mode 100644 index 0000000000..bb9594e968 --- /dev/null +++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch @@ -0,0 +1,73 @@ +From f5ce0700d80c776186b0fb0414ef20966a3a6a03 Mon Sep 17 00:00:00 2001 +From: "Sana.Kazi" <Sana.Kazi@kpit.com> +Date: Wed, 23 Feb 2022 15:50:16 +0530 +Subject: [PATCH] protobuf: Fix CVE-2021-22570 + +CVE: CVE-2021-22570 +Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch] +Comment: Removed first and second hunk +Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> + +--- + src/google/protobuf/descriptor.cc | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +index 6835a3cde..1514ae531 100644 +--- a/src/google/protobuf/descriptor.cc ++++ b/src/google/protobuf/descriptor.cc +@@ -2603,6 +2603,8 @@ void Descriptor::DebugString(int depth, std::string* contents, + const Descriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start + 1) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end > FieldDescriptor::kMaxNumber) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end - 1); +@@ -2815,6 +2817,8 @@ void EnumDescriptor::DebugString( + const EnumDescriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end == INT_MAX) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end); +@@ -4002,6 +4006,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + // Use its file as the parent instead. + if (parent == nullptr) parent = file_; + ++ if (full_name.find('\0') != std::string::npos) { ++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + full_name + "\" contains null character."); ++ return false; ++ } + if (tables_->AddSymbol(full_name, symbol)) { + if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { + // This is only possible if there was already an error adding something of +@@ -4041,6 +4050,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + void DescriptorBuilder::AddPackage(const std::string& name, + const Message& proto, + const FileDescriptor* file) { ++ if (name.find('\0') != std::string::npos) { ++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + name + "\" contains null character."); ++ return; ++ } + if (tables_->AddSymbol(name, Symbol(file))) { + // Success. Also add parent package, if any. + std::string::size_type dot_pos = name.find_last_of('.'); +@@ -4354,6 +4368,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( + } + result->pool_ = pool_; + ++ if (result->name().find('\0') != std::string::npos) { ++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + result->name() + "\" contains null character."); ++ return nullptr; ++ } ++ + // Add to tables. + if (!tables_->AddFile(result)) { + AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb index 4d6c5b2557..55d56ff08e 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb @@ -12,11 +12,12 @@ DEPENDS_append_class-target = " protobuf-native" SRCREV = "d0bfd5221182da1a7cc280f3337b5e41a89539cf" -SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x \ +SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \ file://run-ptest \ file://0001-protobuf-fix-configure-error.patch \ file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \ file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \ + file://CVE-2021-22570.patch \ " S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python-cython.inc b/meta-oe/recipes-devtools/python/python-cython.inc index 3260e92bac..3260e92bac 100644 --- a/meta-python/recipes-devtools/python/python-cython.inc +++ b/meta-oe/recipes-devtools/python/python-cython.inc diff --git a/meta-python/recipes-devtools/python/python3-cython_0.29.14.bb b/meta-oe/recipes-devtools/python/python3-cython_0.29.14.bb index 2ce6bdbd68..2ce6bdbd68 100644 --- a/meta-python/recipes-devtools/python/python3-cython_0.29.14.bb +++ b/meta-oe/recipes-devtools/python/python3-cython_0.29.14.bb diff --git a/meta-python/recipes-devtools/python/python3-pyparsing_2.4.6.bb b/meta-oe/recipes-devtools/python/python3-pyparsing_2.4.6.bb index a6ec1cb9c3..a6ec1cb9c3 100644 --- a/meta-python/recipes-devtools/python/python3-pyparsing_2.4.6.bb +++ b/meta-oe/recipes-devtools/python/python3-pyparsing_2.4.6.bb diff --git a/meta-python/recipes-devtools/python/python3-pyyaml_5.3.1.bb b/meta-oe/recipes-devtools/python/python3-pyyaml_5.3.1.bb index 8cf9093041..8cf9093041 100644 --- a/meta-python/recipes-devtools/python/python3-pyyaml_5.3.1.bb +++ b/meta-oe/recipes-devtools/python/python3-pyyaml_5.3.1.bb diff --git a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb index 5b5c8b2570..bc90bffe5e 100644 --- a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb +++ b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://license.txt;md5=ba04aa8f65de1396a7e59d1d746c2125" -SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1" +SRC_URI = "git://github.com/miloyip/rapidjson.git;branch=master;protocol=https" SRCREV = "0ccdbf364c577803e2a751f5aededce935314313" diff --git a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb index cd5e0a4e5c..20cad69b53 100644 --- a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb +++ b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://git.breakpoint.cc/cgit/bigeasy/serialcheck.git/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git \ +SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git;branch=master \ file://0001-Add-option-to-enable-internal-loopback.patch \ file://0002-Restore-original-loopback-config.patch \ file://0001-Makefile-Change-order-of-link-flags.patch \ diff --git a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb index 4a27e4b2a5..9d07405560 100644 --- a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb +++ b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb @@ -8,7 +8,7 @@ inherit cmake DEPENDS += "sqlite3" SRCREV = "e8a9e9416f421303f4b8970caab26dadf8bae98b" -SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https" +SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https;branch=master" S = "${WORKDIR}/git" EXTRA_OECMAKE += "-DSqliteOrm_BuildTests=OFF" diff --git a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb index 46a9408031..3280dba49b 100644 --- a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb +++ b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=0ca8b9c5c5445cfa7af7e78fd27e60ed" SRCREV = "75f440bcac1276c847f5351e14216f6e91def44d" -SRC_URI = "git://git.code.sf.net/p/tclap/code \ +SRC_URI = "git://git.code.sf.net/p/tclap/code;branch=master \ file://Makefile.am-disable-docs.patch \ " diff --git a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb index c33fa048cf..a78eecfea3 100644 --- a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb +++ b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb @@ -12,7 +12,7 @@ inherit autotools # v0.9.4 SRCREV = "d648bbffedef529220896283fb59e35531c13804" -SRC_URI = "git://github.com/namhyung/${BPN} \ +SRC_URI = "git://github.com/namhyung/${BPN};branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/valijson/valijson_git.bb b/meta-oe/recipes-devtools/valijson/valijson_git.bb index c3254d16e7..5cff40752a 100644 --- a/meta-oe/recipes-devtools/valijson/valijson_git.bb +++ b/meta-oe/recipes-devtools/valijson/valijson_git.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/tristanpenman/valijson" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=015106c62262b2383f6c72063f0998f2" -SRC_URI = "git://github.com/tristanpenman/valijson.git" +SRC_URI = "git://github.com/tristanpenman/valijson.git;branch=master;protocol=https" PV = "0.1+git${SRCPV}" SRCREV = "c2f22fddf599d04dc33fcd7ed257c698a05345d9" diff --git a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb index 6c31b69817..34df701260 100644 --- a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb +++ b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb @@ -5,7 +5,7 @@ HOMEPAGE = "http://xmlrpc-c.sourceforge.net/" LICENSE = "BSD & MIT" LIC_FILES_CHKSUM = "file://doc/COPYING;md5=aefbf81ba0750f02176b6f86752ea951" -SRC_URI = "git://github.com/mirror/xmlrpc-c.git \ +SRC_URI = "git://github.com/mirror/xmlrpc-c.git;branch=master;protocol=https \ file://0001-test-cpp-server_abyss-Fix-build-with-clang-libc.patch \ file://0002-fix-formatting-issues.patch \ " diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch new file mode 100644 index 0000000000..169784d427 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch @@ -0,0 +1,29 @@ +From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001 +From: "zhang.jiujiu" <282627424@qq.com> +Date: Tue, 7 Dec 2021 22:37:02 +0800 +Subject: [PATCH] fix memory leaks + +Upstream-Status: Backport [https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698] +CVE: CVE-2023-33460 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index 3d357a3..a71167e 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -445,6 +445,9 @@ yajl_val yajl_tree_parse (const char *input, + YA_FREE(&(handle->alloc), internal_err_str); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb index e112a5e30f..186f2c8ed0 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=da2e9aa80962d54e7c726f232a2bd1e8" # Use 1.0.12 tag SRCREV = "17b1790fb9c8abbb3c0f7e083864a6a014191d56" -SRC_URI = "git://github.com/lloyd/yajl;nobranch=1" +SRC_URI = "git://github.com/lloyd/yajl;nobranch=1;protocol=https" inherit cmake lib_package diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index d9a5821cbb..697f54d9fb 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb @@ -8,7 +8,9 @@ HOMEPAGE = "http://lloyd.github.com/yajl/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" -SRC_URI = "git://github.com/lloyd/yajl" +SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ + file://CVE-2023-33460.patch \ + " SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 53856263f7..6aae29ad8c 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -9,7 +9,7 @@ DEPENDS += "flex-native bison-native xmlto-native" PV = "1.3.0+git${SRCPV}" # v1.3.0 SRCREV = "ba463d3c26c0ece2e797b8d6381b161633b5971a" -SRC_URI = "git://github.com/yasm/yasm.git" +SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch new file mode 100644 index 0000000000..c21794d147 --- /dev/null +++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch @@ -0,0 +1,44 @@ +From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001 +From: Jan Kraemer <jan@spectrejan.de> +Date: Thu, 7 Oct 2021 12:48:04 +0200 +Subject: [PATCH] brotli: fix CVE-2020-8927 + +[No upstream tracking] -- + +This fixes a potential overflow when input chunk is >2GiB in +BrotliGetAvailableBits by capping the returned value to 2^30 + +Fixed in brotli version 1.0.8 +https://github.com/google/brotli as of commit id +223d80cfbec8fd346e32906c732c8ede21f0cea6 + +Patch taken from Debian Buster: 1.0.7-2+deb10u1 +http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc +https://security-tracker.debian.org/tracker/CVE-2020-8927 + + +Upstream-Status: Backported +CVE: CVE-2020-8927 + +Signed-off-by: Jan Kraemer <jan@spectrejan.de> +--- + c/dec/bit_reader.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h +index c06e914..0d20312 100644 +--- a/c/dec/bit_reader.h ++++ b/c/dec/bit_reader.h +@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits( + } + + /* Returns amount of unread bytes the bit reader still has buffered from the +- BrotliInput, including whole bytes in br->val_. */ ++ BrotliInput, including whole bytes in br->val_. Result is capped with ++ maximal ring-buffer size (larger number won't be utilized anyway). */ + static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) { ++ static const size_t kCap = (size_t)1 << 30; ++ if (br->avail_in > kCap) return kCap; + return br->avail_in + (BrotliGetAvailableBits(br) >> 3); + } + diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb index 70dbcaffb1..77fef778a4 100644 --- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb +++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb @@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b" -SRC_URI = "git://github.com/google/brotli.git" +SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \ + file://0001-brotli-fix-CVE-2020-8927.patch \ + " # tag 1.0.7 SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb index 6c71d534be..388feb703b 100644 --- a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb +++ b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b19ee058d2d5f69af45da98051d91064" SECTION = "Development/Libraries" DEPENDS = "swig-native python3 sblim-cmpi-devel" -SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http \ +SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http;branch=master;protocol=https \ file://cmpi-bindings-0.4.17-no-ruby-perl.patch \ file://cmpi-bindings-0.4.17-sblim-sigsegv.patch \ file://cmpi-bindings-0.9.5-python-lib-dir.patch \ diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/204.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/204.patch deleted file mode 100644 index f0fc0bcb2c..0000000000 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/204.patch +++ /dev/null @@ -1,148 +0,0 @@ -Upstream-Status: Submitted [https://github.com/GENIVI/dlt-daemon/pull/204] -From 92830aff6e91041f574753d78da758c62981d9a4 Mon Sep 17 00:00:00 2001 -From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Date: Sat, 25 Jan 2020 09:08:07 +0100 -Subject: [PATCH 1/3] dlt_user.h: fix build when musl is the libc - implementation, by adding a missing include for pthread_t reference: - -see https://errors.yoctoproject.org/Errors/Details/308000/ for details - -Thanks Khem Raj <raj.khem@gmail.com> for the report - -Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> ---- - include/dlt/dlt_user.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/dlt/dlt_user.h b/include/dlt/dlt_user.h -index 69cb854..766d349 100644 ---- a/include/dlt/dlt_user.h -+++ b/include/dlt/dlt_user.h -@@ -74,6 +74,7 @@ - \{ - */ - # include <mqueue.h> -+# include <pthread.h> - - # if !defined (__WIN32__) - # include <semaphore.h> - -From 5f67aba02c12b7446e63ccc86285c13bc5c7a432 Mon Sep 17 00:00:00 2001 -From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Date: Sat, 25 Jan 2020 09:16:14 +0100 -Subject: [PATCH 2/3] dlt-test-init-free: fix build failure with strict - compiler flags, due to uint being undefined. This is actually an "int" type, - looking at the test implementation - -Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> ---- - src/tests/dlt-test-init-free.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/dlt-test-init-free.c b/src/tests/dlt-test-init-free.c -index 96b5245..35b8803 100644 ---- a/src/tests/dlt-test-init-free.c -+++ b/src/tests/dlt-test-init-free.c -@@ -32,7 +32,7 @@ - - void exec(const char *cmd, char *buffer, size_t length); - void printMemoryUsage(); --char *occupyMemory(uint size); -+char *occupyMemory(int size); - void do_example_test(); - void do_dlt_test(); - -@@ -131,7 +131,7 @@ void printMemoryUsage() - printf("%s", result); - } - --char *occupyMemory(uint size) -+char *occupyMemory(int size) - { - char *buf = (char *)malloc(size * sizeof(char)); - - -From c790d61fad382e5d3e648ee99904087eb9bc4a77 Mon Sep 17 00:00:00 2001 -From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Date: Sat, 25 Jan 2020 09:20:48 +0100 -Subject: [PATCH 3/3] sys/poll.h: deprecate old sys/poll.h include header, now - glibc/musl wants poll.h being included directly. This fixes a build failure - on musl systems with strict c hardening flags - -Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> ---- - src/console/logstorage/dlt-logstorage-ctrl.c | 2 +- - src/daemon/dlt_daemon_event_handler.c | 2 +- - src/daemon/dlt_daemon_event_handler.h | 2 +- - src/daemon/dlt_daemon_event_handler_types.h | 2 +- - src/lib/dlt_user.c | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/console/logstorage/dlt-logstorage-ctrl.c b/src/console/logstorage/dlt-logstorage-ctrl.c -index 525c137..6614f44 100644 ---- a/src/console/logstorage/dlt-logstorage-ctrl.c -+++ b/src/console/logstorage/dlt-logstorage-ctrl.c -@@ -61,7 +61,7 @@ - #include <string.h> - #include <getopt.h> - --#include <sys/poll.h> -+#include <poll.h> - - #if defined(__linux__) - # include "sd-daemon.h" -diff --git a/src/daemon/dlt_daemon_event_handler.c b/src/daemon/dlt_daemon_event_handler.c -index 1611f7b..0d463da 100644 ---- a/src/daemon/dlt_daemon_event_handler.c -+++ b/src/daemon/dlt_daemon_event_handler.c -@@ -30,7 +30,7 @@ - #include <string.h> - #include <errno.h> - --#include <sys/poll.h> -+#include <poll.h> - #include <syslog.h> - - #include "dlt_common.h" -diff --git a/src/daemon/dlt_daemon_event_handler.h b/src/daemon/dlt_daemon_event_handler.h -index eb96101..bd550d3 100644 ---- a/src/daemon/dlt_daemon_event_handler.h -+++ b/src/daemon/dlt_daemon_event_handler.h -@@ -25,7 +25,7 @@ - * \file dlt_daemon_event_handler.h - */ - --#include <sys/poll.h> -+#include <poll.h> - - #include "dlt_daemon_connection_types.h" - #include "dlt_daemon_event_handler_types.h" -diff --git a/src/daemon/dlt_daemon_event_handler_types.h b/src/daemon/dlt_daemon_event_handler_types.h -index 370e503..0b16d08 100644 ---- a/src/daemon/dlt_daemon_event_handler_types.h -+++ b/src/daemon/dlt_daemon_event_handler_types.h -@@ -25,7 +25,7 @@ - * \file dlt_daemon_event_handler_types.h - */ - --#include <sys/poll.h> -+#include <poll.h> - - #include "dlt_daemon_connection_types.h" - -#diff --git a/src/lib/dlt_user.c b/src/lib/dlt_user.c -#index ffa9b09..511f991 100644 -#--- a/src/lib/dlt_user.c -#+++ b/src/lib/dlt_user.c -#@@ -43,7 +43,7 @@ -# #include <errno.h> -# -# #include <sys/uio.h> /* writev() */ -#-#include <sys/poll.h> -#+#include <poll.h> -# -# #include <limits.h> -# #ifdef linux diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch deleted file mode 100644 index 75065eb054..0000000000 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch +++ /dev/null @@ -1,38 +0,0 @@ -Upstream-status: Backport -CVE: CVE-2020-29394 -From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001 -From: GwanYeong Kim <gy741.kim@gmail.com> -Date: Sat, 28 Nov 2020 12:24:46 +0900 -Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load - -A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument. - -Fixed: #274 - -Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> ---- - src/shared/dlt_common.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c -index 254f4ce4..d15b1cec 100644 ---- a/src/shared/dlt_common.c -+++ b/src/shared/dlt_common.c -@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb - while (!feof(handle)) { - str1[0] = 0; - -- if (fscanf(handle, "%s", str1) != 1) -+ if (fscanf(handle, "%254s", str1) != 1) - break; - - if (str1[0] == 0) -@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb - - str1[0] = 0; - -- if (fscanf(handle, "%s", str1) != 1) -+ if (fscanf(handle, "%254s", str1) != 1) - break; - - if (str1[0] == 0) diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/317.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/317.patch new file mode 100644 index 0000000000..fe40334b65 --- /dev/null +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/317.patch @@ -0,0 +1,43 @@ +Origin: https://github.com/GENIVI/dlt-daemon/pull/317 +From 55d31216823841a1547fe261cdf8e3b1002d5f94 Mon Sep 17 00:00:00 2001 +From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> +Date: Thu, 1 Jul 2021 12:58:20 +0200 +Subject: [PATCH] dlt-control-common.c: Fix build failure due to out-of-bound + write -Werror=stringop-truncation + +cd /build/dlt-daemon-2.18.7/obj-x86_64-linux-gnu/src/console/logstorage && /usr/bin/cc -DCONFIGURATION_FILES_DIR=\"/etc\" -DDLT_DAEMON_USE_FIFO_IPC -DDLT_LIB_USE_FIFO_IPC -DDLT_NETWORK_TRACE_ENABLE -DDLT_SYSTEMD_ENABLE -DDLT_SYSTEMD_JOURNAL_ENABLE -DDLT_UNIT_TESTS -DDLT_USER_IPC_PATH=\"/tmp\" -DDLT_USE_IPv6 -DEXTENDED_FILTERING -D_GNU_SOURCE -I/build/dlt-daemon-2.18.7 -I/build/dlt-daemon-2.18.7/obj-x86_64-linux-gnu/include/dlt -I/build/dlt-daemon-2.18.7/include/dlt -I/build/dlt-daemon-2.18.7/src/shared -I/build/dlt-daemon-2.18.7/src/core_dump_handler -I/build/dlt-daemon-2.18.7/src/offlinelogstorage -I/build/dlt-daemon-2.18.7/src/lib -I/build/dlt-daemon-2.18.7/src/daemon -I/build/dlt-daemon-2.18.7/src/console -I/build/dlt-daemon-2.18.7/src/gateway -I/build/dlt-daemon-2.18.7/systemd/3rdparty -g -O2 -ffile-prefix-map=/build/dlt-daemon-2.18.7=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Werror -std=gnu99 -Wall -Wextra -Wno-variadic-macros -Wno-strict-aliasing -o CMakeFiles/dlt-logstorage-ctrl.dir/__/dlt-control-common.c.o -c /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c +make[3]: Leaving directory '/build/dlt-daemon-2.18.7/obj-x86_64-linux-gnu' +In file included from /usr/include/string.h:495, + from /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c:56: +In function 'strncpy', + inlined from 'dlt_json_filter_load' at /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c:716:13: +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4 equals destination size [-Werror=stringop-truncation] + 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'dlt_json_filter_load' at /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c:721:13: +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4 equals destination size [-Werror=stringop-truncation] + 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> +Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> +--- + src/console/dlt-control-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/console/dlt-control-common.c b/src/console/dlt-control-common.c +index 8a9d29f0..f58d8268 100644 +--- a/src/console/dlt-control-common.c ++++ b/src/console/dlt-control-common.c +@@ -671,8 +671,8 @@ DltReturnValue dlt_json_filter_load(DltFilter *filter, const char *filename, int + struct json_object *j_payload_max; + enum json_tokener_error jerr; + +- char app_id[DLT_ID_SIZE] = ""; +- char context_id[DLT_ID_SIZE] = ""; ++ char app_id[DLT_ID_SIZE + 1] = ""; ++ char context_id[DLT_ID_SIZE + 1] = ""; + int32_t log_level = 0; + int32_t payload_max = INT32_MAX; + int32_t payload_min = 0; diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb index 45724e98ac..2a045f5790 100644 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb @@ -12,15 +12,14 @@ SECTION = "console/utils" LICENSE = "MPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=8184208060df880fe3137b93eb88aeea" -DEPENDS = "zlib gzip-native" +DEPENDS = "zlib gzip-native json-c" -SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \ +SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \ file://0002-Don-t-execute-processes-as-a-specific-user.patch \ file://0004-Modify-systemd-config-directory.patch \ - file://204.patch \ - file://275.patch \ + file://317.patch \ " -SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4" +SRCREV = "24d197214bfdcec7430d31b42e5c87df27287aaf" S = "${WORKDIR}/git" @@ -42,12 +41,13 @@ PACKAGECONFIG[dlt-console] = "-DWITH_DLT_CONSOLE=ON,-DWITH_DLT_CONSOLE=OFF,,dlt- inherit autotools gettext cmake systemd -EXTRA_OECMAKE += "-DSYSTEMD_UNITDIR=${systemd_system_unitdir}" +EXTRA_OECMAKE += "-DWITH_EXTENDED_FILTERING=ON -DSYSTEMD_UNITDIR=${systemd_system_unitdir}" PACKAGES += "${PN}-systemd" SYSTEMD_PACKAGES = "${PN} ${PN}-systemd" SYSTEMD_SERVICE_${PN} = " ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'dlt.service', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'dlt-system', 'dlt-system.service', '', d)}" + ${@bb.utils.contains('PACKAGECONFIG', 'dlt-system', 'dlt-system.service', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'dlt-dbus', 'dlt-dbus.service', '', d)}" SYSTEMD_AUTO_ENABLE_${PN} = "enable" SYSTEMD_SERVICE_${PN}-systemd = " \ ${@bb.utils.contains('PACKAGECONFIG', 'dlt-adaptor', 'dlt-adaptor-udp.service', '', d)} \ diff --git a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb index aa55ebf84d..162f5aa339 100644 --- a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb +++ b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb @@ -18,7 +18,7 @@ SRCREV = "3dd23e3280f213bacefdf5fcb04857bf52e90917" PV = "0.6.2+git${SRCPV}" SRC_URI = "\ - git://github.com/docopt/docopt.cpp.git;protocol=https \ + git://github.com/docopt/docopt.cpp.git;protocol=https;branch=master \ file://0001-Set-library-VERSION-and-SOVERSION.patch \ " diff --git a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb index 09eab9dcd0..eb00092c7b 100644 --- a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb +++ b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=5940d39995ea6857d01b8227109c2e9c" SRCREV = "b1e978e486114797347deefcc03ab12629a13cc3" -SRC_URI = "git://github.com/Yelp/dumb-init" +SRC_URI = "git://github.com/Yelp/dumb-init;branch=master;protocol=https" S = "${WORKDIR}/git" EXTRA_OEMAKE = "CC='${CC}' CFLAGS='${CFLAGS} ${LDFLAGS}'" diff --git a/meta-oe/recipes-extended/figlet/figlet_git.bb b/meta-oe/recipes-extended/figlet/figlet_git.bb index 4611646b9b..61b050aac6 100644 --- a/meta-oe/recipes-extended/figlet/figlet_git.bb +++ b/meta-oe/recipes-extended/figlet/figlet_git.bb @@ -4,7 +4,7 @@ HOMEPAGE = "http://www.figlet.org/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=1688bcd97b27704f1afcac7336409857" -SRC_URI = "git://github.com/cmatsuoka/figlet.git \ +SRC_URI = "git://github.com/cmatsuoka/figlet.git;branch=master;protocol=https \ file://0001-build-add-autotools-support-to-allow-easy-cross-comp.patch" SRCREV = "5bbcd7383a8c3a531299b216b0c734e1495c6db3" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb index 926d8851d2..b2c41756e5 100644 --- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb +++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb @@ -32,7 +32,7 @@ BBCLASSEXTEND = "native" DEPENDS_class-native = "readline-native" PACKAGECONFIG_class-native = "" -SRC_URI_append_class-native = "file://0001-reduce-build-to-conversion-tools-for-native-build.patch" +SRC_URI_append_class-native = " file://0001-reduce-build-to-conversion-tools-for-native-build.patch" do_install_class-native() { install -d ${D}${bindir} diff --git a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb index 50326ea2f4..19b0d8dbd7 100644 --- a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb +++ b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM="file://COPYING;md5=d32239bcb673463ab874e80d47fae504" # v1.9.9 SRCREV = "1283a65c541c4a83e152024a63faf7b267b9b1cd" -SRC_URI = "git://github.com/jirka-h/haveged.git \ +SRC_URI = "git://github.com/jirka-h/haveged.git;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb index 050b7da3d7..c0d1b1b8bb 100644 --- a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb +++ b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb @@ -6,7 +6,7 @@ DEPENDS = "ncurses" LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://github.com/pixel/hexedit.git \ +SRC_URI = "git://github.com/pixel/hexedit.git;branch=master;protocol=https \ " SRCREV = "800e4b2e6280531a84fd23ee0b48e16baeb90878" diff --git a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb index 29f8de8d2f..cee1f342bd 100644 --- a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb +++ b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb @@ -6,7 +6,7 @@ DEPENDS = "redis" LIC_FILES_CHKSUM = "file://COPYING;md5=d84d659a35c666d23233e54503aaea51" SRCREV = "685030652cd98c5414ce554ff5b356dfe8437870" -SRC_URI = "git://github.com/redis/hiredis;protocol=git \ +SRC_URI = "git://github.com/redis/hiredis;protocol=https;branch=master \ file://0001-Makefile-remove-hardcoding-of-CC.patch" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/iotop/iotop_0.6.bb b/meta-oe/recipes-extended/iotop/iotop_0.6.bb index 3a597218db..19af46cb16 100644 --- a/meta-oe/recipes-extended/iotop/iotop_0.6.bb +++ b/meta-oe/recipes-extended/iotop/iotop_0.6.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4325afd396febcb659c36b49533135d4" PV .= "+git${SRCPV}" SRCREV = "1bfb3bc70febb1ffb95146b6dcd65257228099a3" -SRC_URI = "git://repo.or.cz/iotop.git" +SRC_URI = "git://repo.or.cz/iotop.git;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb index b7899a11b6..2f4724a336 100644 --- a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb +++ b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb @@ -7,7 +7,7 @@ RDEPENDS_${BPN} = "openssl curl" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" -SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master \ +SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master;protocol=https \ file://0001-tweak-install-prefix.patch \ file://0002-fix-parallel-error.patch \ " diff --git a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb index d6e56ea768..7beea9f1e7 100644 --- a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb +++ b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb @@ -11,4 +11,7 @@ SRC_URI[sha256sum] = "f4f377da17b10201a60c1108613e78ee15df6b12016b116b6de42209f4 inherit autotools pkgconfig +# upstream considers it isn't a real bug https://github.com/akheron/jansson/issues/548 +CVE_CHECK_WHITELIST = "CVE-2020-36325 " + BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb index 50dd74b685..ba1fece05c 100644 --- a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb +++ b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a" PV = "2.3.5+git${SRCPV}" -SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http" +SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http;branch=master;protocol=https" SRCREV = "c2d857091c0dfed05139ac07ea9b0f36ad259638" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb index e6d5663f85..977aabf040 100644 --- a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb +++ b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f673270bfc350d9ce1efc8724c6c1873" DEPENDS_append_class-target = " swig-native sblim-cmpi-devel python3" DEPENDS_append_class-native = " cmpi-bindings-native" -SRC_URI = "git://github.com/rnovacek/konkretcmpi.git \ +SRC_URI = "git://github.com/rnovacek/konkretcmpi.git;branch=master;protocol=https \ file://0001-CMakeLists.txt-fix-lib64-can-not-be-shiped-in-64bit-.patch \ file://0001-drop-including-rpath-cmake-module.patch \ " diff --git a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb index 99cdee5bba..c1023e625e 100644 --- a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb +++ b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c" inherit autotools gobject-introspection -SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch" +SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch;protocol=https" SRCREV = "f5a4ba8bb298f8cbc435707d0b19b4b2ff836a8e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libcec/libcec_git.bb b/meta-oe/recipes-extended/libcec/libcec_git.bb index 39ceb489e2..07320e42bd 100644 --- a/meta-oe/recipes-extended/libcec/libcec_git.bb +++ b/meta-oe/recipes-extended/libcec/libcec_git.bb @@ -12,7 +12,7 @@ DEPENDS_append_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '' PV = "5.0.0" SRCREV = "43bc27fe7be491149e6f57d14110e02abdac2f24" -SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release \ +SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release;protocol=https \ file://0001-CheckPlatformSupport.cmake-Do-not-hardcode-lib-path.patch \ file://0001-Enhance-reproducibility.patch \ " diff --git a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb index b7c1958eef..e763a701e5 100644 --- a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb +++ b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb @@ -11,7 +11,7 @@ inherit autotools pkgconfig PV = "0.6.0" SRCREV = "1195abc2f4acc7b10175d570ec73549d0938c83e" -SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https \ +SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb index a990deb91f..0906e9a645 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb @@ -9,7 +9,7 @@ DEPENDS = "libxml2 glib-2.0 swig python3" inherit autotools pkgconfig python3native python3targetconfig SRCREV = "3df02d4d0e9008771e8622fdc10de8333b3f0d85" -SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https \ +SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb index 36fc5c858c..5901057840 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb @@ -7,9 +7,10 @@ DEPENDS = "udev libusb1 libplist" inherit autotools pkgconfig gitpkgv PKGV = "${GITPKGVTAG}" +PV = "1.0.10+git${SRCPV}" SRCREV = "78df9be5fc8222ed53846cb553de9b5d24c85c6c" -SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https" +SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb index 7fc5997983..bbfee1ff7a 100644 --- a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb +++ b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=84dcc94da3adb52b53ae4fa38fe49e5d" inherit cmake pkgconfig -SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https \ +SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https;branch=master \ file://0001-cmake-Use-GNUInstallDirs-instead-of-hardcoding-lib-p.patch \ " SRCREV = "59d2b405f95701e5b04326589786dbb43ce49e81" diff --git a/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch b/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch new file mode 100644 index 0000000000..2aec818574 --- /dev/null +++ b/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch @@ -0,0 +1,38 @@ +From 790ff6dad16b70e68804a2d53ad54db40412e889 Mon Sep 17 00:00:00 2001 +From: Michael Heimpold <mhei@heimpold.de> +Date: Sat, 8 Jan 2022 20:00:50 +0100 +Subject: [PATCH] modbus_reply: fix copy & paste error in sanity check (fixes + #614) + +[ Upstream commit b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 ] + +While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets +must be checked, i.e. the read and the write address must be within the +mapping range. + +At the moment, only the read address was considered, it looks like a +simple copy and paste error, so let's fix it. + +CVE: CVE-2022-0367 + +Signed-off-by: Michael Heimpold <mhei@heimpold.de> +--- + src/modbus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modbus.c b/src/modbus.c +index 68a28a3..c871152 100644 +--- a/src/modbus.c ++++ b/src/modbus.c +@@ -961,7 +961,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + nb_write, nb, MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS); + } else if (mapping_address < 0 || + (mapping_address + nb) > mb_mapping->nb_registers || +- mapping_address < 0 || ++ mapping_address_write < 0 || + (mapping_address_write + nb_write) > mb_mapping->nb_registers) { + rsp_length = response_exception( + ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS, rsp, FALSE, +-- +2.39.1 + diff --git a/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb b/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb index 075487ae90..5c59312760 100644 --- a/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb +++ b/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb @@ -2,7 +2,10 @@ require libmodbus.inc SRC_URI += "file://f1eb4bc7ccb09cd8d19ab641ee37637f8c34d16d.patch \ file://Fix-float-endianness-issue-on-big-endian-arch.patch \ - file://Fix-typo.patch" + file://Fix-typo.patch \ + file://CVE-2022-0367.patch \ + " + SRC_URI[md5sum] = "15c84c1f7fb49502b3efaaa668cfd25e" SRC_URI[sha256sum] = "d7d9fa94a16edb094e5fdf5d87ae17a0dc3f3e3d687fead81835d9572cf87c16" diff --git a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb index c9d259b1a0..29c35caf54 100644 --- a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb +++ b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb @@ -17,7 +17,7 @@ PV = "1.3+git${SRCPV}" SRCREV = "116219e215858f4af9370171d3ead63baca8fdb4" -SRC_URI = "git://github.com/thkukuk/libnss_nisplus \ +SRC_URI = "git://github.com/thkukuk/libnss_nisplus;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb index cd4019666d..dbe03fedef 100644 --- a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb +++ b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb @@ -11,7 +11,7 @@ inherit autotools pkgconfig # v1.0.5 SRCREV = "d08dbcf08b0da418bce9b5427dfd89522916322a" -SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1 \ +SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1;protocol=https \ file://0001-build-fix-configure-script-neglecting-re-enable-out-.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb index 4276c49173..24784f77a0 100644 --- a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb +++ b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb @@ -11,7 +11,7 @@ DEPENDS = "xmlrpc-c xmlrpc-c-native intltool-native \ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" -SRC_URI = "git://github.com/abrt/libreport.git;protocol=https" +SRC_URI = "git://github.com/abrt/libreport.git;protocol=https;branch=master" SRC_URI += "file://0001-Makefile.am-remove-doc-and-apidoc.patch \ file://0002-configure.ac-remove-prog-test-of-xmlto-and-asciidoc.patch \ file://0003-without-build-plugins.patch \ diff --git a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb index a081cb17a8..27fe0e2c40 100644 --- a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb +++ b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb @@ -31,4 +31,4 @@ FILES_statgrab-dbg = "${bindir}/.debug/statgrab" FILES_saidar = "${bindir}/saidar" FILES_saidar-dbg = "${bindir}/.debug/saidar" FILES_${PN}-mrtg = "${bindir}/statgrab-make-mrtg-config ${bindir}/statgrab-make-mrtg-index" -RDEPENDS_${PN}-mrtg_append = "perl statgrab" +RDEPENDS_${PN}-mrtg_append = " perl statgrab" diff --git a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb index dd34c180a3..0278e55f3e 100644 --- a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb +++ b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb @@ -3,7 +3,7 @@ SECTION = "base" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI = "git://git.code.sf.net/p/libuio/code \ +SRC_URI = "git://git.code.sf.net/p/libuio/code;branch=master \ file://replace_inline_with_static-inline.patch \ file://0001-include-fcntl.h-for-O_RDWR-define.patch \ " diff --git a/meta-oe/recipes-extended/md5deep/md5deep_git.bb b/meta-oe/recipes-extended/md5deep/md5deep_git.bb index e8c6864c1f..cc31323c3f 100644 --- a/meta-oe/recipes-extended/md5deep/md5deep_git.bb +++ b/meta-oe/recipes-extended/md5deep/md5deep_git.bb @@ -9,7 +9,7 @@ PV = "4.4+git${SRCPV}" SRCREV = "877613493ff44807888ce1928129574be393cbb0" -SRC_URI = "git://github.com/jessek/hashdeep.git \ +SRC_URI = "git://github.com/jessek/hashdeep.git;branch=master;protocol=https \ file://wrong-variable-expansion.patch \ file://0001-Fix-literal-and-identifier-spacing-as-dictated-by-C-.patch \ " diff --git a/meta-oe/recipes-extended/mraa/mraa_git.bb b/meta-oe/recipes-extended/mraa/mraa_git.bb index 0b40dcb71b..540ef6e12a 100644 --- a/meta-oe/recipes-extended/mraa/mraa_git.bb +++ b/meta-oe/recipes-extended/mraa/mraa_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=91e7de50a8d3cf01057f318d72460acd" SRCREV = "e15ce6fbc76148ba8835adc92196b0d0a3f245e7" PV = "2.1.0+git${SRCPV}" -SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \ +SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \ file://0001-cmake-Use-a-regular-expression-to-match-x86-architec.patch \ " diff --git a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb index 9d5a2307e7..e96c977453 100644 --- a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb +++ b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb @@ -17,7 +17,7 @@ REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "d8eba6cb6682b59d84ca1da67a523520b879ade6" -SRC_URI = "git://github.com/Openwsman/openwsman.git \ +SRC_URI = "git://github.com/Openwsman/openwsman.git;branch=main;protocol=https \ file://libssl-is-required-if-eventint-supported.patch \ file://openwsmand.service \ file://0001-lock.c-Define-PTHREAD_MUTEX_RECURSIVE_NP-if-undefine.patch \ diff --git a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb index 43021c5342..5b0171d8c8 100644 --- a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb +++ b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb @@ -22,7 +22,7 @@ DEPENDS = " \ PREMIRRORS = "" SRC_URI = " \ - gitsm://github.com/ostreedev/ostree \ + gitsm://github.com/ostreedev/ostree;branch=main;protocol=https \ file://run-ptest \ " SRCREV = "6ed48234ba579ff73eb128af237212b0a00f2057" @@ -176,12 +176,12 @@ RDEPENDS_${PN}-ptest += " \ util-linux \ xz \ ${PN}-trivial-httpd \ - ${@bb.utils.contains('BBFILE_COLLECTIONS', 'meta-python', 'python3-pyyaml', '', d)} \ + python3-pyyaml \ ${@bb.utils.contains('PACKAGECONFIG', 'gjs', 'gjs', '', d)} \ " RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils glibc-localedata-en-us" -RRECOMMENDS_${PN} += "kernel-module-overlay" +RRECOMMENDS_${PN}_append_class-target = " kernel-module-overlay" SYSTEMD_SERVICE_${PN} = "ostree-remount.service ostree-finalize-staged.path" SYSTEMD_SERVICE_${PN}-switchroot = "ostree-prepare-root.service" diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch new file mode 100644 index 0000000000..98e186cbf0 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch @@ -0,0 +1,27 @@ +p7zip: Update CVE-2016-9296 patch URL. +From: Robert Luberda <robert@debian.org> +Date: Sat, 19 Nov 2016 08:48:08 +0100 +Subject: Fix nullptr dereference (CVE-2016-9296) + +Patch taken from https://sourceforge.net/p/p7zip/bugs/185/ +This patch file taken from Debian's patch set for p7zip + +Upstream-Status: Backport [https://sourceforge.net/p/p7zip/bugs/185/] +CVE: CVE-2016-9296 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +Index: p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/7z/7zIn.cpp ++++ p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch new file mode 100644 index 0000000000..b6deb5d3a7 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch @@ -0,0 +1,226 @@ +From: Robert Luberda <robert@debian.org> +Date: Sun, 28 Jan 2018 23:47:40 +0100 +Subject: CVE-2018-5996 + +Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by +applying a few changes from 7Zip 18.00-beta. + +Bug-Debian: https://bugs.debian.org/#888314 + +Upstream-Status: Backport [https://sources.debian.org/data/non-free/p/p7zip-rar/16.02-3/debian/patches/06-CVE-2018-5996.patch] +CVE: CVE-2018-5996 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++---- + CPP/7zip/Compress/Rar1Decoder.h | 1 + + CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++- + CPP/7zip/Compress/Rar2Decoder.h | 1 + + CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++--- + CPP/7zip/Compress/Rar3Decoder.h | 2 ++ + 6 files changed, 42 insertions(+), 8 deletions(-) + +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +@@ -29,7 +29,7 @@ public: + }; + */ + +-CDecoder::CDecoder(): m_IsSolid(false) { } ++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { } + + void CDecoder::InitStructures() + { +@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialIn + InitData(); + if (!m_IsSolid) + { ++ _errorMode = false; + InitStructures(); + InitHuff(); + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (m_UnpackSize > 0) + { + GetFlagsBuf(); +@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialI + const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress) + { + try { return CodeReal(inStream, outStream, inSize, outSize, progress); } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(const CLzOutWindowException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + } + + STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size) +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +@@ -39,6 +39,7 @@ public: + + Int64 m_UnpackSize; + bool m_IsSolid; ++ bool _errorMode; + + UInt32 ReadBits(int numBits); + HRESULT CopyBlock(UInt32 distance, UInt32 len); +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << + static const UInt32 kWindowReservSize = (1 << 22) + 256; + + CDecoder::CDecoder(): +- m_IsSolid(false) ++ m_IsSolid(false), ++ m_TablesOK(false) + { + } + +@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBi + + bool CDecoder::ReadTables(void) + { ++ m_TablesOK = false; ++ + Byte levelLevels[kLevelTableSize]; + Byte newLevels[kMaxTableSize]; + m_AudioMode = (ReadBits(1) == 1); +@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void) + } + + memcpy(m_LastLevels, newLevels, kMaxTableSize); ++ m_TablesOK = true; ++ + return true; + } + +@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialIn + return S_FALSE; + } + ++ if (!m_TablesOK) ++ return S_FALSE; ++ + UInt64 startPos = m_OutWindowStream.GetProcessedSize(); + while (pos < unPackSize) + { +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +@@ -139,6 +139,7 @@ class CDecoder : + + UInt64 m_PackSize; + bool m_IsSolid; ++ bool m_TablesOK; + + void InitStructures(); + UInt32 ReadBits(unsigned numBits); +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +@@ -92,7 +92,8 @@ CDecoder::CDecoder(): + _writtenFileSize(0), + _vmData(0), + _vmCode(0), +- m_IsSolid(false) ++ m_IsSolid(false), ++ _errorMode(false) + { + Ppmd7_Construct(&_ppmd); + } +@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + return InitPPM(); + } + ++ TablesRead = false; ++ TablesOK = false; ++ + _lzMode = true; + PrevAlignBits = 0; + PrevAlignCount = 0; +@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + } + } + } ++ if (InputEofError()) ++ return S_FALSE; ++ + TablesRead = true; + + // original code has check here: +@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize])); + + memcpy(m_LastLevels, newLevels, kTablesSizesSum); ++ ++ TablesOK = true; ++ + return S_OK; + } + +@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProg + PpmEscChar = 2; + PpmError = true; + InitFilters(); ++ _errorMode = false; + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (!m_IsSolid || !TablesRead) + { + bool keepDecompressing; +@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProg + bool keepDecompressing; + if (_lzMode) + { ++ if (!TablesOK) ++ return S_FALSE; + RINOK(DecodeLZ(keepDecompressing)) + } + else +@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialI + _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1; + return CodeReal(progress); + } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + // CNewException is possible here. But probably CNewException is caused + // by error in data stream. + } +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +@@ -192,6 +192,7 @@ class CDecoder: + UInt32 _lastFilter; + + bool m_IsSolid; ++ bool _errorMode; + + bool _lzMode; + bool _unsupportedFilter; +@@ -200,6 +201,7 @@ class CDecoder: + UInt32 PrevAlignCount; + + bool TablesRead; ++ bool TablesOK; + + CPpmd7 _ppmd; + int PpmEscChar; diff --git a/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch new file mode 100644 index 0000000000..dcde83e8a4 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch @@ -0,0 +1,27 @@ +fixes the below error + +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp: In member function 'virtual LONG NArchive::NWim::CHandler::GetArchiveProperty(PROPID, PROPVARIANT*)': +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:308:11: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 308 | numMethods++; +| | ^~~~~~~~~~ +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:318:9: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 318 | numMethods++; + + +use unsigned instead of bool +Signed-off-by: Nisha Parrakat <Nisha.Parrakat@kpit.com> + +Upstream-Status: Pending +Index: p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/Wim/WimHandler.cpp ++++ p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchivePropert + + AString res; + +- bool numMethods = 0; ++ unsigned numMethods = 0; + for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++) + { + if (methodMask & ((UInt32)1 << i)) diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb index 13479a90fe..79677c6487 100644 --- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb +++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb @@ -9,6 +9,9 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al file://do_not_override_compiler_and_do_not_strip.patch \ file://CVE-2017-17969.patch \ file://0001-Fix-narrowing-errors-Wc-11-narrowing.patch \ + file://change_numMethods_from_bool_to_unsigned.patch \ + file://CVE-2018-5996.patch \ + file://CVE-2016-9296.patch \ " SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf" @@ -16,10 +19,26 @@ SRC_URI[sha256sum] = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6 S = "${WORKDIR}/${BPN}_${PV}" +do_compile_append() { + oe_runmake 7z +} +FILES_${PN} += "${libdir}/* ${bindir}/7z" + +FILES_SOLIBSDEV = "" +INSANE_SKIP_${PN} += "dev-so" + do_install() { install -d ${D}${bindir} - install -m 0755 ${S}/bin/* ${D}${bindir} + install -d ${D}${bindir}/Codecs + install -d ${D}${libdir} + install -d ${D}${libdir}/Codecs + install -m 0755 ${S}/bin/7za ${D}${bindir} ln -s 7za ${D}${bindir}/7z + install -m 0755 ${S}/bin/Codecs/* ${D}${libdir}/Codecs/ + install -m 0755 ${S}/bin/7z.so ${D}${libdir}/lib7z.so } -BBCLASSEXTEND = "native" +RPROVIDES_${PN} += "lib7z.so()(64bit) 7z lib7z.so" +RPROVIDES_${PN}-dev += "lib7z.so()(64bit) 7z lib7z.so" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-extended/p8platform/p8platform_git.bb b/meta-oe/recipes-extended/p8platform/p8platform_git.bb index 0690d4ba3c..2e52caeffa 100644 --- a/meta-oe/recipes-extended/p8platform/p8platform_git.bb +++ b/meta-oe/recipes-extended/p8platform/p8platform_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/os.h;md5=752555fa94e82005d45fd201fee5bd33" PV = "2.1.0.1" -SRC_URI = "git://github.com/Pulse-Eight/platform.git \ +SRC_URI = "git://github.com/Pulse-Eight/platform.git;branch=master;protocol=https \ file://0001-Make-resulting-cmake-config-relocatable.patch" SRCREV = "2d90f98620e25f47702c9e848380c0d93f29462b" diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb index 9838e75ef5..5c2af44c73 100644 --- a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb @@ -11,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "e2145df09469bf84878e4729b4ecd814efb797d1" -SRC_URI = "git://github.com/PADL/pam_ccreds" +SRC_URI = "git://github.com/PADL/pam_ccreds;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb index 626b22fe48..5022300ba3 100644 --- a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb +++ b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb @@ -11,7 +11,7 @@ inherit features_check REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "84d7b260f1ae6857ae36e014c9a5968e8aa1cbe8" -SRC_URI = "git://github.com/rmbreak/pam_ldapdb \ +SRC_URI = "git://github.com/rmbreak/pam_ldapdb;branch=master;protocol=https \ file://0001-include-stdexcept-for-std-invalid_argument.patch \ " diff --git a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb index f5066da0d8..5c56a16f41 100644 --- a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb +++ b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb @@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " fts" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/pmem/pmdk.git \ +SRC_URI = "git://github.com/pmem/pmdk.git;branch=master;protocol=https \ file://0001-jemalloc-jemalloc.cfg-Specify-the-host-when-building.patch \ file://0002-Makefile-Don-t-install-the-docs.patch \ file://0001-os_posix-Use-__FreeBSD__-to-control-secure_getenv-de.patch \ diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch new file mode 100644 index 0000000000..cab1c83c09 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch @@ -0,0 +1,74 @@ +From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001 +From: "Jeremy A. Puhlman" <jpuhlman@mvista.com> +Date: Thu, 27 Jan 2022 00:01:27 +0000 +Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to + incorrect handling of argument vector + +Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 +CVE: CVE-2021-4034 + +Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> +--- + src/programs/pkcheck.c | 6 ++++++ + src/programs/pkexec.c | 21 ++++++++++++++++++++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index f1bb4e1..aff4f60 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -363,6 +363,12 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ if (argc < 1) ++ { ++ help(); ++ exit(1); ++ } ++ + /* Disable remote file access from GIO. */ + setenv ("GIO_USE_VFS", "local", 1); + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 7698c5c..3ff4c58 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -488,6 +488,17 @@ main (int argc, char *argv[]) + pid_t pid_of_caller; + gpointer local_agent_handle; + ++ ++ /* ++ * If 'pkexec' is called wrong, just show help and bail out. ++ */ ++ if (argc<1) ++ { ++ clearenv(); ++ usage(argc, argv); ++ exit(1); ++ } ++ + ret = 127; + authority = NULL; + subject = NULL; +@@ -636,7 +647,15 @@ main (int argc, char *argv[]) + goto out; + } + g_free (path); +- argv[n] = path = s; ++ path = s; ++ ++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. ++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination ++ */ ++ if (argv[n] != NULL) ++ { ++ argv[n] = path; ++ } + } + if (access (path, F_OK) != 0) + { +-- +2.26.2 + diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch new file mode 100644 index 0000000000..37e0d6063c --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch @@ -0,0 +1,87 @@ +From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Mon, 21 Feb 2022 08:29:05 +0000 +Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch] +CVE: CVE-2021-4115 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8ed1363..2fbf5f1 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -62,6 +62,10 @@ enum + PROP_NAME, + }; + ++ ++guint8 dbus_call_respond_fails; // has to be global because of callback ++ ++ + static void subject_iface_init (PolkitSubjectIface *subject_iface); + + G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT, +@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src, + if (!v) + { + data->caught_error = TRUE; ++ dbus_call_respond_fails += 1; + } + else + { +@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + tmp_context = g_main_context_new (); + g_main_context_push_thread_default (tmp_context); + ++ dbus_call_respond_fails = 0; ++ + /* Do two async calls as it's basically as fast as one sync call. + */ + g_dbus_connection_call (connection, +@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + on_retrieved_unix_uid_pid, + &data); + +- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) +- g_main_context_iteration (tmp_context, TRUE); ++ while (TRUE) ++ { ++ /* If one dbus call returns error, we must wait until the other call ++ * calls _call_finish(), otherwise fd leak is possible. ++ * Resolves: GHSL-2021-077 ++ */ + +- if (data.caught_error) +- goto out; ++ if ( (dbus_call_respond_fails > 1) ) ++ { ++ // we got two faults, we can leave ++ goto out; ++ } ++ ++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid))) ++ { ++ // we got one fault and the other call finally finished, we can leave ++ goto out; ++ } ++ ++ if ( !(data.retrieved_uid && data.retrieved_pid) ) ++ { ++ g_main_context_iteration (tmp_context, TRUE); ++ } ++ else ++ { ++ break; ++ } ++ } + + if (out_uid) + *out_uid = data.uid; +-- +GitLab + diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch new file mode 100644 index 0000000000..76308ffdb9 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch @@ -0,0 +1,33 @@ +From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Wed, 2 Jun 2021 15:43:38 +0200 +Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit + +initial values returned if error caught + +CVE: CVE-2021-3560 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/polkit/polkitsystembusname.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8daa12c..8ed1363 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + ++ if (data.caught_error) ++ goto out; ++ + if (out_uid) + *out_uid = data.uid; + if (out_pid) +-- +2.29.2 + diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb index ad1973b136..dd8e208616 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb @@ -25,6 +25,9 @@ PAM_SRC_URI = "file://polkit-1_pam.patch" SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0003-make-netgroup-support-optional.patch \ + file://CVE-2021-3560.patch \ + file://CVE-2021-4034.patch \ + file://CVE-2021-4115.patch \ " SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a" SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1" diff --git a/meta-oe/recipes-extended/redis/redis_5.0.9.bb b/meta-oe/recipes-extended/redis/redis_5.0.14.bb index d04293369a..3d849ec8c3 100644 --- a/meta-oe/recipes-extended/redis/redis_5.0.9.bb +++ b/meta-oe/recipes-extended/redis/redis_5.0.14.bb @@ -17,8 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ " -SRC_URI[md5sum] = "c94523c9f4ee662027ddf90575d0e058" -SRC_URI[sha256sum] = "53d0ae164cd33536c3d4b720ae9a128ea6166ebf04ff1add3b85f1242090cb85" +SRC_URI[sha256sum] = "3ea5024766d983249e80d4aa9457c897a9f079957d0fb1f35682df233f997f32" inherit autotools-brokensep update-rc.d systemd useradd diff --git a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb index 5662e63474..914b12e7ca 100644 --- a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb +++ b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb @@ -10,7 +10,7 @@ SRCREV = "56a83f4f52e6745cd4352f9ee008be3183a6dedf" PV = "1.7.2" SRC_URI = "\ - git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http; \ + git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb index b84dde3d37..3b63971e5d 100644 --- a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb +++ b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f" DEPENDS = "" -SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https \ +SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https;branch=master \ file://0001-fix-jump-misses-init-gcc-8-warning.patch" SRCREV = "4758b1caf69ada911ef79e1d80793fe489b98dff" diff --git a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb index a4663148cd..9da9d7c96c 100644 --- a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb +++ b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1fb9c10ed9fd6826757615455ca893a9" DEPENDS = "gmp nettle libidn zlib gnutls openssl" -SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https \ +SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https;branch=master \ " SRCREV = "0beb2258e12e4131dc31e261078ea53d18f787d7" diff --git a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb index ffd46da0af..e720d3e5c8 100644 --- a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb +++ b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://../README.license;md5=60487bf0bf429d6b5aa72b6d37a0eb2 PV .= "+git${SRCPV}" -SRC_URI = "git://pagure.io/sanlock.git;protocol=http \ +SRC_URI = "git://pagure.io/sanlock.git;protocol=http;branch=master \ file://0001-sanlock-Replace-cp-a-with-cp-R-no-dereference-preser.patch;patchdir=../ \ " SRCREV = "cff348800722f7dadf030ffe7494c2df714996e3" diff --git a/meta-oe/recipes-extended/sedutil/sedutil_git.bb b/meta-oe/recipes-extended/sedutil/sedutil_git.bb index 765618433b..03446c324d 100644 --- a/meta-oe/recipes-extended/sedutil/sedutil_git.bb +++ b/meta-oe/recipes-extended/sedutil/sedutil_git.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://Common/LICENSE.txt;md5=d32239bcb673463ab874e80d47fae5 BASEPV = "1.15.1" PV = "${BASEPV}+git${SRCPV}" SRCREV = "358cc758948be788284d5faba46ccf4cc1813796" -SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git \ +SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git;branch=master;protocol=https \ file://0001-Fix-build-on-big-endian-architectures.patch \ " diff --git a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb index e40e1cd263..7d016bc963 100644 --- a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb +++ b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb @@ -3,7 +3,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=72d977d697c3c05830fdff00a7448931" SRCREV = "b31bce98d65f894aad6427bcf6f3f7822e261a59" PV = "1.0+git${SRCPV}" -SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https" +SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/socketcan/can-utils_git.bb b/meta-oe/recipes-extended/socketcan/can-utils_git.bb index 519368817f..92b38030fe 100644 --- a/meta-oe/recipes-extended/socketcan/can-utils_git.bb +++ b/meta-oe/recipes-extended/socketcan/can-utils_git.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://include/linux/can.h;endline=44;md5=a9e1169c6c9a114a61 DEPENDS = "libsocketcan" -SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=git" +SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=https;branch=master" SRCREV = "da65fdfe0d1986625ee00af0b56ae17ec132e700" diff --git a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb index e1508af857..56466a6cd2 100644 --- a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb +++ b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "libsocketcan" SRCREV = "299dff7f5322bf0348dcdd60071958ebedf5f09d" -SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git \ +SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git;branch=master \ file://0001-canutils-candump-Add-error-frame-s-handling.patch \ " diff --git a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb index 0debe47e03..6a44cff93d 100644 --- a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb +++ b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://src/libsocketcan.c;beginline=3;endline=17;md5=97e38ad SRCREV = "0ff01ae7e4d271a7b81241e7a7026bfcea0add3f" -SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git" +SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/sysdig/sysdig_git.bb b/meta-oe/recipes-extended/sysdig/sysdig_git.bb index 04a022af4f..b06340f82f 100644 --- a/meta-oe/recipes-extended/sysdig/sysdig_git.bb +++ b/meta-oe/recipes-extended/sysdig/sysdig_git.bb @@ -15,10 +15,10 @@ JIT_mipsarchn64 = "" JIT_riscv64 = "" JIT_riscv32 = "" -DEPENDS += "lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native" +DEPENDS += "libb64 lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native" RDEPENDS_${PN} = "bash" -SRC_URI = "git://github.com/draios/sysdig.git;branch=dev \ +SRC_URI = "git://github.com/draios/sysdig.git;branch=dev;protocol=https \ file://0001-fix-build-with-LuaJIT-2.1-betas.patch \ file://0001-Fix-build-with-musl-backtrace-APIs-are-glibc-specifi.patch \ file://fix-uint64-const.patch \ @@ -32,7 +32,6 @@ S = "${WORKDIR}/git" EXTRA_OECMAKE = "\ -DBUILD_DRIVER=OFF \ -DUSE_BUNDLED_DEPS=OFF \ - -DUSE_BUNDLED_B64=ON \ -DCREATE_TEST_TARGETS=OFF \ -DDIR_ETC=${sysconfdir} \ -DLUA_INCLUDE_DIR=${STAGING_INCDIR}/luajit-2.1 \ diff --git a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb index 637770af24..c9d9fb5729 100644 --- a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb +++ b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb @@ -2,7 +2,7 @@ SUMMARY = "Transparent Inter-Process Communication protocol" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://tipclog/tipc.h;endline=35;md5=985b6ea8735818511d276c1b466cce98" -SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils \ +SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils;branch=master \ file://0001-include-sys-select.h-for-FD_-definitions.patch \ file://0002-replace-non-standard-uint-with-unsigned-int.patch \ file://0001-multicast_blast-tipcc-Fix-struct-type-for-TIPC_GROUP.patch \ diff --git a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb index 38ce4f5571..c62cef36d3 100644 --- a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb +++ b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" # matches debian/0.5.0-1 tag SRCREV = "44a173195986d0d853316cb02a58785ded66c12b" PV = "0.5.0+git${SRCPV}" -SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian" +SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb b/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb index ed19d1e41a..de1fc3a1fe 100644 --- a/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb +++ b/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb @@ -16,12 +16,11 @@ PR = "r1" S = "${WORKDIR}/tools" do_compile() { - oe_runmake + oe_runmake LIB_DIR=${libdir}/uml } do_install() { oe_runmake install DESTDIR=${D} } -FILES_${PN} += "${exec_prefix}${nonarch_base_libdir}" -FILES_${PN}-dbg += "${exec_prefix}${nonarch_base_libdir}/uml/.debug" +FILES_${PN} += "${libdir}/uml" diff --git a/meta-oe/recipes-extended/upm/upm_git.bb b/meta-oe/recipes-extended/upm/upm_git.bb index 6a7611f382..7643d13e25 100644 --- a/meta-oe/recipes-extended/upm/upm_git.bb +++ b/meta-oe/recipes-extended/upm/upm_git.bb @@ -10,7 +10,7 @@ DEPENDS = "libjpeg-turbo mraa" SRCREV = "5cf20df96c6b35c19d5b871ba4e319e96b4df72d" PV = "2.0.0+git${SRCPV}" -SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \ +SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \ file://0001-CMakeLists.txt-Use-SWIG_SUPPORT_FILES-to-find-the-li.patch \ file://0001-Use-stdint-types.patch \ file://0001-initialize-local-variables-before-use.patch \ diff --git a/meta-oe/recipes-extended/wipe/wipe_0.24.bb b/meta-oe/recipes-extended/wipe/wipe_0.24.bb index 831d514a4e..3ccc5afd5c 100644 --- a/meta-oe/recipes-extended/wipe/wipe_0.24.bb +++ b/meta-oe/recipes-extended/wipe/wipe_0.24.bb @@ -9,7 +9,7 @@ HOMEPAGE = "http://lambda-diode.com/software/wipe/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://GPL;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://github.com/berke/wipe.git;branch=master \ +SRC_URI = "git://github.com/berke/wipe.git;branch=master;protocol=https \ file://support-cross-compile-for-linux.patch \ file://makefile-add-ldflags.patch \ " diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb index 06337b79c7..8f766ac877 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb @@ -21,7 +21,7 @@ DEPENDS += " \ tiff \ " -SRC_URI = "git://github.com/wxWidgets/wxWidgets.git" +SRC_URI = "git://github.com/wxWidgets/wxWidgets.git;branch=master;protocol=https" PV = "3.1.3" SRCREV= "8a40d23b27ed1c80b5a2ca9f7e8461df4fbc1a31" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb index b94664c33c..eddf1ed960 100644 --- a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb +++ b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb @@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRCREV = "8fc78c3c65cb705953a2f3f9a813c3ef3c8b2270" -SRC_URI = "git://github.com/HardySimpson/zlog" +SRC_URI = "git://github.com/HardySimpson/zlog;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb index cd0b471e17..0c564c0d1c 100644 --- a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb +++ b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb @@ -9,7 +9,7 @@ LICENSE = "BSD-3-Clause & GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \ file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" -SRC_URI = "git://github.com/facebook/zstd.git;nobranch=1 \ +SRC_URI = "git://github.com/facebook/zstd.git;branch=dev;protocol=https \ file://0001-Fix-legacy-build-after-2103.patch \ " diff --git a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb index a957c1d673..6fa31c58ff 100644 --- a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb +++ b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb @@ -5,7 +5,7 @@ LICENSE = "LGPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=f30a9716ef3762e3467a2f62bf790f0a" SRCREV = "7db14dcf4c4305c3859a2d9fcf9f5da2db328330" -SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg" +SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg;branch=master" inherit distutils3 diff --git a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb index 32f0815921..2d13f26a3d 100644 --- a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb +++ b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb @@ -8,7 +8,7 @@ PV = "0.3" PR = "r1" SRCREV = "ef2e1a390e768e21e6a6268977580ee129a96633" -SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git \ +SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git;branch=master;protocol=https \ file://0001-configure.ac-Do-not-demand-linker-hash-style.patch \ " diff --git a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb index 007385101c..24f8e44d89 100644 --- a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb +++ b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb @@ -3,7 +3,7 @@ LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504 \ " -SRC_URI = "git://github.com/manatools/dnfdragora.git \ +SRC_URI = "git://github.com/manatools/dnfdragora.git;branch=master;protocol=https \ file://0001-disable-build-manpages.patch \ file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \ file://0001-To-fix-error-when-do_package.patch \ diff --git a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb index e3dff91915..8036d5f7a9 100644 --- a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb +++ b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb @@ -4,7 +4,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=ea5bed2f60d357618ca161ad539f7c0a" SECTION = "console/utils" DEPENDS = "libpng zlib" -SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https" +SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https;branch=master" SRCREV = "b179e2a42b8a5d72516b9c8d91713c9025cf6044" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb index 1863f95f0f..8f65da2c1f 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb @@ -15,7 +15,7 @@ REQUIRED_DISTRO_FEATURES_append_class-target = " x11" # tag 20190801 SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e" -SRC_URI = "git://github.com/${BPN}/${BPN}.git \ +SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ file://0001-include-sys-select-on-non-glibc-platforms.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb index 51f5a4eca1..d405cb8775 100644 --- a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb +++ b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb @@ -32,7 +32,7 @@ DEPENDS = " \ " SRC_URI = " \ - git://github.com/fvwmorg/fvwm.git;protocol=https \ + git://github.com/fvwmorg/fvwm.git;protocol=https;branch=master \ file://0001-Fix-compilation-for-disabled-gnome.patch \ " @@ -82,12 +82,17 @@ do_install_append() { install -d -m 0755 ${D}/${datadir}/fvwm touch ${D}/${datadir}/fvwm/ConfigFvwmDefaults + sed -i -e 's:${STAGING_BINDIR_NATIVE}/perl-native/perl:${USRBINPATH}/env perl:g' ${D}${bindir}/fvwm-* + sed -i -e 's:${STAGING_BINDIR_NATIVE}/perl-native/perl:${USRBINPATH}/env perl:g' ${D}${libexecdir}/fvwm/*/Fvwm* + sed -i -e 's:${STAGING_BINDIR_NATIVE}/python3-native/python3:${USRBINPATH}/env python3:g' ${D}${bindir}/fvwm-menu-desktop } # the only needed packages (note: locale packages are automatically generated # as well) PACKAGES = " \ ${PN} \ + ${PN}-extra \ + ${PN}-doc \ ${PN}-dbg \ " @@ -98,12 +103,20 @@ FILES_${PN} = " \ ${datadir}/fvwm/ConfigFvwmDefaults \ " +FILES_${PN}-extra = " \ + ${bindir} \ + ${libexecdir} \ + ${sysconfdir}/xdg/fvwm \ +" +FILES_${PN}-doc = " \ + ${mandir} \ + ${datadir}/fvwm \ +" + RDEPENDS_${PN} = " \ xuser-account \ " - -# by default a lot of stuff is installed and it's not easy to control what to -# install, so install everything, but skip the check -INSANE_SKIP_${PN} = " \ - installed-vs-shipped \ +RDEPENDS_${PN}-extra += "\ + perl \ + python3-core \ " diff --git a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb index e2f4dbebc5..b44f06c555 100644 --- a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb +++ b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb @@ -9,7 +9,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://copying.txt;md5=4a735e33f271f57404fda17e80085411" SRC_URI = " \ - git://github.com/g-truc/glm;branch=master \ + git://github.com/g-truc/glm;branch=master;protocol=https \ file://0001-Fix-Wimplicit-int-float-conversion-warnings-with-cla.patch \ file://glmConfig.cmake.in \ file://glmConfigVersion.cmake.in \ diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb index d393ae2a1c..72e2f5cc7a 100644 --- a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb +++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb @@ -24,7 +24,7 @@ inherit autotools-brokensep pkgconfig gettext # https://github.com/ellson/MOTHBALLED-graphviz/releases/tag/stable_release_2.40.1 # https://gitlab.com/graphviz/graphviz/-/commit/67cd2e5121379a38e0801cc05cce5033f8a2a609 SRCREV = "67cd2e5121379a38e0801cc05cce5033f8a2a609" -SRC_URI = "git://gitlab.com/${BPN}/${BPN}.git \ +SRC_URI = "git://gitlab.com/${BPN}/${BPN}.git;branch=master \ file://0001-plugin-pango-Include-freetype-headers-explicitly.patch \ " # Use native mkdefs @@ -55,6 +55,17 @@ do_install_append_class-native() { install -m755 ${B}/lib/gvpr/mkdefs ${D}${bindir} } +# create /usr/lib/graphviz/config6 +graphviz_sstate_postinst() { + mkdir -p ${SYSROOT_DESTDIR}${bindir} + dest=${SYSROOT_DESTDIR}${bindir}/postinst-${PN} + echo '#!/bin/sh' > $dest + echo '' >> $dest + echo 'dot -c' >> $dest + chmod 0755 $dest +} +SYSROOT_PREPROCESS_FUNCS_append_class-native = " graphviz_sstate_postinst" + PACKAGES =+ "${PN}-python ${PN}-perl ${PN}-demo" FILES_${PN}-python += "${libdir}/python*/site-packages/ ${libdir}/graphviz/python/" diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb index 1d5a29438a..977c0961bc 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/mdadams/jasper" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb" -SRC_URI = "git://github.com/mdadams/jasper.git;protocol=https" +SRC_URI = "git://github.com/mdadams/jasper.git;protocol=https;branch=master" SRCREV = "9aef6d91a82a8a6aecb575cbee57f74470603cc2" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch new file mode 100644 index 0000000000..2db67966cf --- /dev/null +++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch @@ -0,0 +1,27 @@ +From 97fefd050976bbbfca9608499f6a7d9fb86e70db Mon Sep 17 00:00:00 2001 +From: Sam Lantinga <slouken@libsdl.org> +Date: Tue, 30 Jul 2019 11:00:00 -0700 +Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files +--- + src/video/SDL_bmp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 8eadc5f..5b5e12c 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; +-- +2.25.1 + diff --git a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb index 7a01908322..d91a1856b4 100644 --- a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb +++ b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb @@ -27,6 +27,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \ file://CVE-2019-7637.patch \ file://CVE-2019-7638.patch \ file://CVE-2019-7576.patch \ + file://CVE-2019-13616.patch \ " UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb index dfdf82458c..7f622c2793 100644 --- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb @@ -44,7 +44,7 @@ FILES_libvncclient = "${libdir}/libvncclient.*" inherit cmake -SRC_URI = "git://github.com/LibVNC/libvncserver" +SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https" SRCREV = "1354f7f1bb6962dab209eddb9d6aac1f03408110" PV .= "+git${SRCPV}" diff --git a/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb b/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb index 1a376a4697..8fda4b5fb0 100644 --- a/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb +++ b/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \ file://COPYING.lgpl-2.1;md5=4fbd65380cdd255951079008b364516c \ " -SRC_URI = "git://github.com/libyui/libyui-ncurses.git \ +SRC_URI = "git://github.com/libyui/libyui-ncurses.git;branch=master;protocol=https \ file://0003-Simplify-ncurses-finding-module.patch \ " diff --git a/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb b/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb index 7c6f4c13d2..72a86955e1 100644 --- a/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb +++ b/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING.gpl-3;md5=d32239bcb673463ab874e80d47fae504 \ file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \ " -SRC_URI = "git://github.com/libyui/libyui.git \ +SRC_URI = "git://github.com/libyui/libyui-old.git;branch=master;protocol=https \ file://0001-Fix-build-with-clang.patch \ file://0001-Use-relative-install-paths-for-CMake.patch \ " diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch new file mode 100644 index 0000000000..98988e686e --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch @@ -0,0 +1,72 @@ +From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 19:57:27 +0800 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +See commit 8ee335227bbc for details. + +Signed-off-by: Young Xiao <YangX92@hotmail.com> + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2019-12973 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertbmp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 0af52f816..ec34f535b 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + } else { /* absolute mode */ + c = getc(IN); +@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + c1 = (OPJ_UINT8)getc(IN); + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ + getc(IN); +@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } + } + } /* while(y < height) */ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } + return OPJ_TRUE; + } + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch new file mode 100644 index 0000000000..2177bfdbdb --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch @@ -0,0 +1,86 @@ +From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 20:09:59 +0800 +Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2019-12973 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index ec34f535b..2fc4e9bc4 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + while (y < height) { + int c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c) { /* encoded mode */ +- int j; +- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); ++ int j, c1_int; ++ OPJ_UINT8 c1; ++ ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { +@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } else { /* absolute mode */ + c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c == 0x00) { /* EOL */ +@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + break; + } else if (c == 0x02) { /* MOVE by dxdy */ + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + x += (OPJ_UINT32)c; + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + y += (OPJ_UINT32)c; + pix = pData + y * stride + x; + } else { /* 03 .. 255 : absolute mode */ +@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + if ((j & 1) == 0) { +- c1 = (OPJ_UINT8)getc(IN); ++ int c1_int; ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ +- getc(IN); ++ c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + } + } + } diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch new file mode 100644 index 0000000000..f22e153b52 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch @@ -0,0 +1,43 @@ +From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 28 Jun 2020 14:19:59 +0200 +Subject: [PATCH] opj_decompress: fix double-free on input directory with mix + of valid and invalid images (CVE-2020-15389) + +Fixes #1261 + +Credits to @Ruia-ruia for reporting and analysis. + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-15389 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/opj_decompress.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index 7eeb0952f..2634907f0 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original) + int main(int argc, char **argv) + { + opj_decompress_parameters parameters; /* decompression parameters */ +- opj_image_t* image = NULL; +- opj_stream_t *l_stream = NULL; /* Stream */ +- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ +- opj_codestream_index_t* cstr_index = NULL; + + OPJ_INT32 num_images, imageno; + img_fol_t img_fol; +@@ -1393,6 +1389,10 @@ int main(int argc, char **argv) + + /*Decoding image one by one*/ + for (imageno = 0; imageno < num_images ; imageno++) { ++ opj_image_t* image = NULL; ++ opj_stream_t *l_stream = NULL; /* Stream */ ++ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ ++ opj_codestream_index_t* cstr_index = NULL; + + if (!parameters.quiet) { + fprintf(stderr, "\n"); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch new file mode 100644 index 0000000000..da06db6db7 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch @@ -0,0 +1,29 @@ +From eaa098b59b346cb88e4d10d505061f669d7134fc Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 23 Nov 2020 13:49:05 +0100 +Subject: [PATCH] Encoder: grow buffer size in + opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in + opj_mqc_flush (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + + /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ ++ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch new file mode 100644 index 0000000000..9c5894c720 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch @@ -0,0 +1,27 @@ +From 15cf3d95814dc931ca0ecb132f81cb152e051bae Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 23 Nov 2020 18:14:02 +0100 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1237,9 +1237,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ + /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ + /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ ++ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch new file mode 100644 index 0000000000..1eb030af46 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch @@ -0,0 +1,30 @@ +From 649298dcf84b2f20cfe458d887c1591db47372a6 Mon Sep 17 00:00:00 2001 +From: yuan <zodf0055980@gmail.com> +Date: Wed, 25 Nov 2020 20:41:39 +0800 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1238,10 +1238,12 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ + /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ + /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ ++ /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */ ++ /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * +- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); ++ l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { + if (p_code_block->data) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch new file mode 100644 index 0000000000..1c267c313b --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch @@ -0,0 +1,27 @@ +From 4ce7d285a55d29b79880d0566d4b010fe1907aa9 Mon Sep 17 00:00:00 2001 +From: yuan <zodf0055980@gmail.com> +Date: Fri, 4 Dec 2020 19:00:22 +0800 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1240,9 +1240,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */ + /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */ ++ /* and +74 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -n 8 -s 7,7 -I) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 74 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch new file mode 100644 index 0000000000..e4373d0d32 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch @@ -0,0 +1,29 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27823 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c +index 328c91beb..00f596e27 100644 +--- a/src/bin/jp2/convertpng.c ++++ b/src/bin/jp2/convertpng.c +@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) + image->x0 = (OPJ_UINT32)params->image_offset_x0; + image->y0 = (OPJ_UINT32)params->image_offset_y0; + image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32) +- params->subsampling_dx + 1 + image->x0); ++ params->subsampling_dx + 1); + image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32) +- params->subsampling_dy + 1 + image->y0); ++ params->subsampling_dy + 1); + + row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); + if (row32s == NULL) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch new file mode 100644 index 0000000000..5f3deb4dda --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch @@ -0,0 +1,24 @@ +From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 30 Nov 2020 22:37:07 +0100 +Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible + conversion when too many decomposition levels are specified (fixes #1286) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27824 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/dwt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/lib/openjp2/dwt.c ++++ b/src/lib/openjp2/dwt.c +@@ -1293,7 +1293,7 @@ void opj_dwt_calc_explicit_stepsizes(opj + if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { + stepsize = 1.0; + } else { +- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; ++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); + stepsize = (1 << (gain)) / norm; + } + opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch new file mode 100644 index 0000000000..db6d12dc2c --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch @@ -0,0 +1,238 @@ +From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 2 Dec 2020 14:02:17 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs + https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27841 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++--------------- + src/lib/openjp2/pi.h | 10 +++++++-- + src/lib/openjp2/t2.c | 4 ++-- + 3 files changed, 42 insertions(+), 21 deletions(-) + +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -192,10 +192,12 @@ static void opj_get_all_encoding_paramet + * @param p_image the image used to initialize the packet iterator (in fact only the number of components is relevant. + * @param p_cp the coding parameters. + * @param tileno the index of the tile from which creating the packet iterator. ++ * @param manager Event manager + */ + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *p_image, + const opj_cp_t *p_cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * FIXME DOC + */ +@@ -230,12 +232,6 @@ static OPJ_BOOL opj_pi_check_next_level( + ========================================================== + */ + +-static void opj_pi_emit_error(opj_pi_iterator_t * pi, const char* msg) +-{ +- (void)pi; +- (void)msg; +-} +- + static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi) + { + opj_pi_comp_t *comp = NULL; +@@ -272,7 +268,7 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + /* include should be resized when a POC arises, or */ + /* the POC should be rejected */ + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -318,7 +314,7 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -449,7 +445,7 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -473,6 +469,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -580,7 +583,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -604,6 +607,13 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_cprl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -708,7 +718,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -981,7 +991,8 @@ static void opj_get_all_encoding_paramet + + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image, + const opj_cp_t *cp, +- OPJ_UINT32 tileno) ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager) + { + /* loop*/ + OPJ_UINT32 pino, compno; +@@ -1015,6 +1026,8 @@ static opj_pi_iterator_t * opj_pi_create + l_current_pi = l_pi; + for (pino = 0; pino < l_poc_bound ; ++pino) { + ++ l_current_pi->manager = manager; ++ + l_current_pi->comps = (opj_pi_comp_t*) opj_calloc(image->numcomps, + sizeof(opj_pi_comp_t)); + if (! l_current_pi->comps) { +@@ -1352,7 +1365,8 @@ static OPJ_BOOL opj_pi_check_next_level( + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, + opj_cp_t *p_cp, +- OPJ_UINT32 p_tile_no) ++ OPJ_UINT32 p_tile_no, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1407,7 +1421,7 @@ opj_pi_iterator_t *opj_pi_create_decode( + } + + /* memory allocation for pi */ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +@@ -1552,7 +1566,8 @@ opj_pi_iterator_t *opj_pi_create_decode( + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + opj_cp_t *p_cp, + OPJ_UINT32 p_tile_no, +- J2K_T2_MODE p_t2_mode) ++ J2K_T2_MODE p_t2_mode, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1606,7 +1621,7 @@ opj_pi_iterator_t *opj_pi_initialise_enc + } + + /* memory allocation for pi*/ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +--- a/src/lib/openjp2/pi.h ++++ b/src/lib/openjp2/pi.h +@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator { + OPJ_INT32 x, y; + /** FIXME DOC*/ + OPJ_UINT32 dx, dy; ++ /** event manager */ ++ opj_event_mgr_t* manager; + } opj_pi_iterator_t; + + /** @name Exported functions */ +@@ -119,13 +121,15 @@ typedef struct opj_pi_iterator { + * @param cp the coding parameters. + * @param tileno index of the tile being encoded. + * @param t2_mode the type of pass for generating the packet iterator ++ * @param manager Event manager + * + * @return a list of packet iterator that points to the first packet of the tile (not true). + */ + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *image, + opj_cp_t *cp, + OPJ_UINT32 tileno, +- J2K_T2_MODE t2_mode); ++ J2K_T2_MODE t2_mode, ++ opj_event_mgr_t* manager); + + /** + * Updates the encoding parameters of the codec. +@@ -161,12 +165,14 @@ Create a packet iterator for Decoder + @param image Raw image for which the packets will be listed + @param cp Coding parameters + @param tileno Number that identifies the tile for which to list the packets ++@param manager Event manager + @return Returns a packet iterator that points to the first packet of the tile + @see opj_pi_destroy + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t * image, + opj_cp_t * cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * Destroys a packet iterator array. + * +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -244,7 +244,7 @@ OPJ_BOOL opj_t2_encode_packets(opj_t2_t* + l_image->numcomps : 1; + OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1; + +- l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode); ++ l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } +@@ -405,7 +405,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t + #endif + + /* create a packet iterator */ +- l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no); ++ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch new file mode 100644 index 0000000000..6984aa8602 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch @@ -0,0 +1,31 @@ +From fbd30b064f8f9607d500437b6fedc41431fd6cdc Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 1 Dec 2020 19:51:35 +0100 +Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1294, + but likely not the proper fix + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27842 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/t2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -711,6 +711,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1294 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + opj_tgt_reset(prc->incltree); + opj_tgt_reset(prc->imsbtree); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch new file mode 100644 index 0000000000..53c86ea5e4 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch @@ -0,0 +1,31 @@ +From 38d661a3897052c7ff0b39b30c29cb067e130121 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 2 Dec 2020 13:13:26 +0100 +Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1297, + but likely not the proper fix + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27843 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/t2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -787,6 +787,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1297 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + l_nb_blocks = prc->cw * prc->ch; + cblk = prc->cblks.enc; diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch new file mode 100644 index 0000000000..a1aa49a217 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch @@ -0,0 +1,74 @@ +From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Fri, 4 Dec 2020 20:45:25 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27845 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -238,6 +238,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_lrcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -291,6 +298,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rlcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -337,6 +351,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rpcl(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + goto LABEL_SKIP; + } else { +@@ -472,7 +493,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ "opj_pi_next_pcrl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } + +@@ -610,7 +631,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_cprl(): invalid compno0/compno1"); ++ "opj_pi_next_cprl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb index 42011efa97..9cf513f3f7 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb @@ -6,10 +6,23 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c648878b4840d7babaade1303e7f108c" DEPENDS = "libpng tiff lcms zlib" SRC_URI = " \ - git://github.com/uclouvain/openjpeg.git \ + git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ + file://CVE-2019-12973-1.patch \ + file://CVE-2019-12973-2.patch \ file://CVE-2020-6851.patch \ file://CVE-2020-8112.patch \ + file://CVE-2020-15389.patch \ + file://CVE-2020-27814-1.patch \ + file://CVE-2020-27814-2.patch \ + file://CVE-2020-27814-3.patch \ + file://CVE-2020-27814-4.patch \ + file://CVE-2020-27823.patch \ + file://CVE-2020-27824.patch \ + file://CVE-2020-27841.patch \ + file://CVE-2020-27842.patch \ + file://CVE-2020-27843.patch \ + file://CVE-2020-27845.patch \ " SRCREV = "57096325457f96d8cd07bd3af04fe81d7a2ba788" S = "${WORKDIR}/git" @@ -20,3 +33,17 @@ inherit cmake EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}" FILES_${PN} += "${libdir}/openjpeg*" + +# This flaw is introduced by +# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 +# but the contents of this patch is not present in openjpeg_2.3.1 +# Hence, it can be whitelisted. +# https://security-tracker.debian.org/tracker/CVE-2020-27844 + +CVE_CHECK_WHITELIST += "CVE-2020-27844" + +# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg +# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. +# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1 + +CVE_CHECK_WHITELIST += "CVE-2015-1239" diff --git a/meta-oe/recipes-graphics/qrencode/qrencode_git.bb b/meta-oe/recipes-graphics/qrencode/qrencode_git.bb index 108c339bf5..3ef4f59597 100644 --- a/meta-oe/recipes-graphics/qrencode/qrencode_git.bb +++ b/meta-oe/recipes-graphics/qrencode/qrencode_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" PV = "4.0.1+git${SRCPV}" SRCREV = "7c83deb8f562ae6013fea4c3e65278df93f98fb7" -SRC_URI = "git://github.com/fukuchi/libqrencode.git" +SRC_URI = "git://github.com/fukuchi/libqrencode.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb index 6ea632d064..b20e06a454 100644 --- a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb @@ -5,7 +5,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=df7ea9e196efc7014c124747a0ef9772" SRCREV = "a56af589d94dc851809fd5344d0ae441da70c1f2" -SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=http;branch=v1.x \ +SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=http;branch=v1.x;protocol=https \ file://0001-renderdoc-use-xxd-instead-of-cross-compiling-shim-bi.patch \ file://0001-Remove-glslang-pool_allocator-setAllocator.patch \ " diff --git a/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb b/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb index b787972da6..bf0a5947b0 100644 --- a/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb +++ b/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb @@ -6,7 +6,7 @@ SECTION = "graphics" S = "${WORKDIR}/git" SRCREV = "ed16b3e69985feaf565efbecea70a1cc2fca2a58" -SRC_URI = "git://github.com/KhronosGroup/SPIRV-Cross.git \ +SRC_URI = "git://github.com/KhronosGroup/SPIRV-Cross.git;branch=master;protocol=https \ file://0001-Add-install-PHONY-target-in-Makefile.patch \ " diff --git a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb index 8e8388e8d4..362a250725 100644 --- a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb +++ b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb @@ -8,11 +8,11 @@ SECTION = "graphics" S = "${WORKDIR}/git" DEST_DIR = "${S}/external" -SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools \ - git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers \ - git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee \ - git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2 \ - git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest \ +SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools;branch=main;protocol=https \ + git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers;branch=main;protocol=https \ + git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee;branch=main;protocol=https \ + git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2;branch=main;protocol=https \ + git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest;branch=main;protocol=https \ file://0001-Respect-CMAKE_INSTALL_LIBDIR-in-installed-CMake-file.patch \ file://0001-Avoid-pessimizing-std-move-3124.patch \ " @@ -21,6 +21,7 @@ SRCREV_spirv-headers = "af64a9e826bf5bb5fcd2434dd71be1e41e922563" SRCREV_effcee = "cd25ec17e9382f99a895b9ef53ff3c277464d07d" SRCREV_re2 = "5bd613749fd530b576b890283bfb6bc6ea6246cb" SRCREV_googletest = "f2fb48c3b3d79a75a88a99fba6576b25d42ec528" +SRCREV_FORMAT = "spirv-ttols_spirv-headers_effcee_re2_googletest" inherit cmake python3native diff --git a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb index 75c2bc00e2..9fe61ae9c1 100644 --- a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb +++ b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb @@ -4,7 +4,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=9648bd7af63bd3cc4f5ac046d12c49e4" SRCREV = "590567f20dc044f6948a8e2c61afc714c360ad0e" -SRC_URI = "git://github.com/tesseract-ocr/tessdata.git" +SRC_URI = "git://github.com/tesseract-ocr/tessdata.git;branch=main;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/tesseract/tesseract_git.bb b/meta-oe/recipes-graphics/tesseract/tesseract_git.bb index 89d09a0f55..70c98372b3 100644 --- a/meta-oe/recipes-graphics/tesseract/tesseract_git.bb +++ b/meta-oe/recipes-graphics/tesseract/tesseract_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7ea4f9a43aba9d3c849fe5c203a0ed40" BRANCH = "3.05" PV = "${BRANCH}.01+git${SRCPV}" SRCREV = "215866151e774972c9502282111b998d7a053562" -SRC_URI = "git://github.com/${BPN}-ocr/${BPN}.git;branch=${BRANCH}" +SRC_URI = "git://github.com/${BPN}-ocr/${BPN}.git;branch=${BRANCH};protocol=https" S = "${WORKDIR}/git" DEPENDS = "leptonica" diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb index f97c2b2d6c..de2d059061 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.tigervnc.com/" LICENSE = "GPLv2+" SECTION = "x11/utils" DEPENDS = "xserver-xorg gnutls jpeg libxtst gettext-native fltk" -RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl" +RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl xkbcomp" LIC_FILES_CHKSUM = "file://LICENCE.TXT;md5=75b02c2872421380bbd47781d2bd75d3" @@ -17,7 +17,7 @@ B = "${S}" SRCREV = "4739493b635372bd40a34640a719f79fa90e4dba" -SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch \ +SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch;protocol=https \ file://0002-do-not-build-tests-sub-directory.patch \ file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \ file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \ diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb index 8dba7ee6fa..16ac65b1be 100644 --- a/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb +++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb @@ -8,7 +8,7 @@ SRCREV = "21e6e2de1f0062f949fcc52d0b4559dfa3246e0e" PV = "0.1+gitr${SRCPV}" PR = "r3" -SRC_URI = "git://github.com/android/platform_frameworks_base.git;branch=master" +SRC_URI = "git://github.com/android/platform_frameworks_base.git;branch=master;protocol=https" S = "${WORKDIR}/git/data/fonts" diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb index 0af0e91d68..7dde4cc661 100644 --- a/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb +++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb @@ -8,7 +8,7 @@ LICENSE = "OFL-1.1" LIC_FILES_CHKSUM = "file://OFL.txt;md5=7dfa0a236dc535ad2d2548e6170c4402" SRCREV = "d678f1b1807ea5602586279e90b5db6d62ed475e" -SRC_URI = "git://github.com/pravins/lohit.git;branch=master" +SRC_URI = "git://github.com/pravins/lohit.git;branch=master;protocol=https" DEPENDS = "fontforge-native" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb index e74f7a7f67..1a2f6cb4d2 100644 --- a/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb +++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/googlefonts/noto-emoji" LICENSE = "OFL-1.1" LIC_FILES_CHKSUM = "file://fonts/LICENSE;md5=55719faa0112708e946b820b24b14097" -SRC_URI = "git://github.com/googlefonts/noto-emoji;protocol=https" +SRC_URI = "git://github.com/googlefonts/noto-emoji;protocol=https;branch=master" SRCREV = "833a43d03246a9325e748a2d783006454d76ff66" PACKAGES = "${PN}-color ${PN}-regular" diff --git a/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb b/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb index 7e22038f24..427882d32b 100644 --- a/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb +++ b/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb @@ -5,7 +5,7 @@ AUTHOR = "Ingo Bürk" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=b25d2c4cca175f44120d1b8e67cb358d" -SRC_URI = "git://github.com/Airblader/unclutter-xfixes.git \ +SRC_URI = "git://github.com/Airblader/unclutter-xfixes.git;branch=master;protocol=https \ file://0001-build-use-autotools.patch" SRCREV = "10fd337bb77e4e93c3380f630a0555372778a948" diff --git a/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb b/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb index 240949f55c..dd8f41aa5d 100644 --- a/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb +++ b/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=83af8811a28727a13f04132cc33b7f58" DEPENDS = "virtual/libx11 libxext xorgproto" SRCREV = "f57a9904c43ef5d726320c77baa91d0c38361ed4" -SRC_URI = "git://anongit.freedesktop.org/vdpau/libvdpau" +SRC_URI = "git://anongit.freedesktop.org/vdpau/libvdpau;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb index e3a1914fef..fe725879d0 100644 --- a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb +++ b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://src/x11vnc.h;endline=31;md5=e871a2ad004776794b616822dcab6314" SRCREV = "4ca006fed80410bd9b061a1519bd5d9366bb0bc8" -SRC_URI = "git://github.com/LibVNC/x11vnc \ +SRC_URI = "git://github.com/LibVNC/x11vnc;branch=master;protocol=https \ file://starting-fix.patch \ file://0001-misc-Makefile.am-don-t-install-Xdummy-when-configure.patch \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ diff --git a/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb b/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb index 4949616ddc..df5979a094 100644 --- a/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb +++ b/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb @@ -9,7 +9,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ac9801b8423fd7a7699ccbd45cf134d8" DEPENDS += "libxxf86vm" -BBCLASSEXTEND = "native" - SRC_URI[md5sum] = "90b4305157c2b966d5180e2ee61262be" SRC_URI[sha256sum] = "0ef1c35b5c18b1b22317f455c8df13c0a471a8efad63c89c98ae3ce8c2b222d3" diff --git a/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb b/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb index 6a05e98e32..d394b33de2 100644 --- a/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb +++ b/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb @@ -13,7 +13,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=64322fab5239f5c8d97cf6e0e14f1c62" DEPENDS += "libxaw libxkbfile" -BBCLASSEXTEND = "native" - SRC_URI[md5sum] = "502b14843f610af977dffc6cbf2102d5" SRC_URI[sha256sum] = "d2a18ab90275e8bca028773c44264d2266dab70853db4321bdbc18da75148130" diff --git a/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb b/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb index 30a1e089e3..a9a8acf05c 100644 --- a/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb +++ b/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb @@ -8,7 +8,6 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=6ea29dbee22324787c061f039e0529de" DEPENDS += "xbitmaps libxcursor" -BBCLASSEXTEND = "native" SRC_URI[md5sum] = "5fe769c8777a6e873ed1305e4ce2c353" SRC_URI[sha256sum] = "10c442ba23591fb5470cea477a0aa5f679371f4f879c8387a1d9d05637ae417c" diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch new file mode 100644 index 0000000000..937b2176aa --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch @@ -0,0 +1,68 @@ +Description: Fix for CVE-2021-27135 from xterm 366 + Correct upper-limit for selection buffer, accounting for + combining characters (report by Tavis Ormandy). + +Upstream-Status: Backport +https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff +CVE: CVE-2021-27135 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + button.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +Index: xterm-353/button.c +=================================================================== +--- xterm-353.orig/button.c ++++ xterm-353/button.c +@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw, + int i; + int eol; + int need = 0; ++ size_t have = 0; + Char *line; + Char *lp; + CELL first = *cellc; +@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw, + + /* UTF-8 may require more space */ + if_OPT_WIDE_CHARS(screen, { +- need *= 4; ++ if (need > 0) { ++ if (screen->max_combining > 0) ++ need += screen->max_combining; ++ need *= 6; ++ } + }); + + /* now get some memory to save it in */ +@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw, + } + *lp = '\0'; /* make sure we have end marked */ + +- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), +- visibleChars(line, (unsigned) (lp - line)))); ++ have = (size_t) (lp - line); ++ /* ++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if ++ * the estimate is too-far off. ++ */ ++ if ((have * 2) < (size_t) need) { ++ Char *next; ++ scp->data_limit = have + 1; ++ next = realloc(line, scp->data_limit); ++ if (next == NULL) { ++ free(line); ++ scp->data_length = 0; ++ scp->data_limit = 0; ++ } ++ scp->data_buffer = next; ++ } ++ scp->data_length = have; + +- scp->data_length = (size_t) (lp - line); ++ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, ++ visibleChars(scp->data_buffer, (unsigned) have))); + } + + #if OPT_PASTE64 diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch new file mode 100644 index 0000000000..b7a5f297a5 --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch @@ -0,0 +1,84 @@ +From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 21 Jun 2022 10:53:01 +0530 +Subject: [PATCH] CVE-2022-24130 + +Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d] +CVE: CVE-2022-24130 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/graphics_sixel.c b/graphics_sixel.c +index 00ba3ef..6a82295 100644 +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context) + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- set_sixel(graphic, &context, sixel); ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) + graphic->valid = 1; + } + for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } + } + } else if (ch == '#') { /* DECGCI */ + ANSI color_params; +-- +2.25.1 + diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch new file mode 100644 index 0000000000..e63169a209 --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch @@ -0,0 +1,776 @@ +From 787636674918873a091e7a4ef5977263ba982322 Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" <dickey@invisible-island.net> +Date: Sun, 23 Oct 2022 22:59:52 +0000 +Subject: [PATCH] snapshot of project "xterm", label xterm-374c + +Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/787636674918873a091e7a4ef5977263ba982322] +CVE: CVE-2022-45063 + +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + button.c | 16 +-- + charproc.c | 9 +- + doublechr.c | 4 +- + fontutils.c | 266 ++++++++++++++++++++++++++----------------------- + fontutils.h | 4 +- + misc.c | 7 +- + screen.c | 2 +- + xterm.h | 2 +- + xterm.log.html | 6 ++ + 9 files changed, 164 insertions(+), 152 deletions(-) + +diff --git a/button.c b/button.c +index 66a6181..e05ca50 100644 +--- a/button.c ++++ b/button.c +@@ -1619,14 +1619,9 @@ static void + UnmapSelections(XtermWidget xw) + { + TScreen *screen = TScreenOf(xw); +- Cardinal n; + +- if (screen->mappedSelect) { +- for (n = 0; screen->mappedSelect[n] != 0; ++n) +- free((void *) screen->mappedSelect[n]); +- free(screen->mappedSelect); +- screen->mappedSelect = 0; +- } ++ free(screen->mappedSelect); ++ screen->mappedSelect = 0; + } + + /* +@@ -1662,14 +1657,11 @@ MapSelections(XtermWidget xw, String *params, Cardinal num_params) + if ((result = TypeMallocN(String, num_params + 1)) != 0) { + result[num_params] = 0; + for (j = 0; j < num_params; ++j) { +- result[j] = x_strdup((isSELECT(params[j]) ++ result[j] = (String) (isSELECT(params[j]) + ? mapTo +- : params[j])); ++ : params[j]); + if (result[j] == 0) { + UnmapSelections(xw); +- while (j != 0) { +- free((void *) result[--j]); +- } + free(result); + result = 0; + break; +diff --git a/charproc.c b/charproc.c +index 55f0108..b07de4c 100644 +--- a/charproc.c ++++ b/charproc.c +@@ -12548,7 +12548,6 @@ DoSetSelectedFont(Widget w, + Bell(xw, XkbBI_MinorError, 0); + } else { + Boolean failed = False; +- int oldFont = TScreenOf(xw)->menu_font_number; + char *save = TScreenOf(xw)->SelectFontName(); + char *val; + char *test; +@@ -12593,10 +12592,6 @@ DoSetSelectedFont(Widget w, + failed = True; + } + if (failed) { +- (void) xtermLoadFont(xw, +- xtermFontName(TScreenOf(xw)->MenuFontName(oldFont)), +- True, +- oldFont); + Bell(xw, XkbBI_MinorError, 0); + } + free(used); +@@ -12605,7 +12600,7 @@ DoSetSelectedFont(Widget w, + } + } + +-void ++Bool + FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe) + { + TScreen *screen = TScreenOf(xw); +@@ -12645,7 +12640,7 @@ FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe) + DoSetSelectedFont, NULL, + XtLastTimestampProcessed(XtDisplay(xw))); + } +- return; ++ return (screen->SelectFontName() != NULL) ? True : False; + } + + Bool +diff --git a/doublechr.c b/doublechr.c +index a60f5bd..f7b6bae 100644 +--- a/doublechr.c ++++ b/doublechr.c +@@ -294,7 +294,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp) + temp.flags = (params->attr_flags & BOLD); + temp.warn = fwResource; + +- if (!xtermOpenFont(params->xw, name, &temp, False)) { ++ if (!xtermOpenFont(params->xw, name, &temp, NULL, False)) { + XTermDraw local = *params; + char *nname; + +@@ -303,7 +303,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp) + nname = xtermSpecialFont(&local); + if (nname != 0) { + found = (Boolean) xtermOpenFont(params->xw, nname, &temp, +- False); ++ NULL, False); + free(nname); + } + } else { +diff --git a/fontutils.c b/fontutils.c +index 4b0ef85..d9bfaf8 100644 +--- a/fontutils.c ++++ b/fontutils.c +@@ -92,9 +92,9 @@ + } + + #define FREE_FNAME(field) \ +- if (fonts == 0 || myfonts.field != fonts->field) { \ +- FREE_STRING(myfonts.field); \ +- myfonts.field = 0; \ ++ if (fonts == 0 || new_fnames.field != fonts->field) { \ ++ FREE_STRING(new_fnames.field); \ ++ new_fnames.field = 0; \ + } + + /* +@@ -573,7 +573,7 @@ open_italic_font(XtermWidget xw, int n, FontNameProperties *fp, XTermFonts * dat + if ((name = italic_font_name(fp, slant[pass])) != 0) { + TRACE(("open_italic_font %s %s\n", + whichFontEnum((VTFontEnum) n), name)); +- if (xtermOpenFont(xw, name, data, False)) { ++ if (xtermOpenFont(xw, name, data, NULL, False)) { + result = (data->fs != 0); + #if OPT_REPORT_FONTS + if (resource.reportFonts) { +@@ -1006,13 +1006,14 @@ cannotFont(XtermWidget xw, const char *who, const char *tag, const char *name) + } + + /* +- * Open the given font and verify that it is non-empty. Return a null on ++ * Open the given font and verify that it is non-empty. Return false on + * failure. + */ + Bool + xtermOpenFont(XtermWidget xw, + const char *name, + XTermFonts * result, ++ XTermFonts * current, + Bool force) + { + Bool code = False; +@@ -1020,7 +1021,12 @@ xtermOpenFont(XtermWidget xw, + + TRACE(("xtermOpenFont %d:%d '%s'\n", + result->warn, xw->misc.fontWarnings, NonNull(name))); ++ + if (!IsEmpty(name)) { ++ Bool existing = (current != NULL ++ && current->fs != NULL ++ && current->fn != NULL); ++ + if ((result->fs = XLoadQueryFont(screen->display, name)) != 0) { + code = True; + if (EmptyFont(result->fs)) { +@@ -1039,9 +1045,13 @@ xtermOpenFont(XtermWidget xw, + } else { + TRACE(("xtermOpenFont: cannot load font '%s'\n", name)); + } +- if (force) { ++ if (existing) { ++ TRACE(("...continue using font '%s'\n", current->fn)); ++ result->fn = x_strdup(current->fn); ++ result->fs = current->fs; ++ } else if (force) { + NoFontWarning(result); +- code = xtermOpenFont(xw, DEFFONT, result, True); ++ code = xtermOpenFont(xw, DEFFONT, result, NULL, True); + } + } + } +@@ -1289,6 +1299,7 @@ static Bool + loadNormFP(XtermWidget xw, + char **nameOutP, + XTermFonts * infoOut, ++ XTermFonts * current, + int fontnum) + { + Bool status = True; +@@ -1298,7 +1309,7 @@ loadNormFP(XtermWidget xw, + if (!xtermOpenFont(xw, + *nameOutP, + infoOut, +- (fontnum == fontMenu_default))) { ++ current, (fontnum == fontMenu_default))) { + /* + * If we are opening the default font, and it happens to be missing, + * force that to the compiled-in default font, e.g., "fixed". If we +@@ -1333,10 +1344,10 @@ loadBoldFP(XtermWidget xw, + if (fp != 0) { + NoFontWarning(infoOut); + *nameOutP = bold_font_name(fp, fp->average_width); +- if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) { ++ if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) { + free(*nameOutP); + *nameOutP = bold_font_name(fp, -1); +- xtermOpenFont(xw, *nameOutP, infoOut, False); ++ xtermOpenFont(xw, *nameOutP, infoOut, NULL, False); + } + TRACE(("...derived bold '%s'\n", NonNull(*nameOutP))); + } +@@ -1354,7 +1365,7 @@ loadBoldFP(XtermWidget xw, + TRACE(("...did not get a matching bold font\n")); + } + free(normal); +- } else if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) { ++ } else if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) { + xtermCopyFontInfo(infoOut, infoRef); + TRACE(("...cannot load bold font '%s'\n", NonNull(*nameOutP))); + } else { +@@ -1408,7 +1419,7 @@ loadWideFP(XtermWidget xw, + } + + if (check_fontname(*nameOutP)) { +- if (xtermOpenFont(xw, *nameOutP, infoOut, False) ++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False) + && is_derived_font_name(*nameOutP) + && EmptyFont(infoOut->fs)) { + xtermCloseFont2(xw, infoOut - fWide, fWide); +@@ -1452,7 +1463,7 @@ loadWBoldFP(XtermWidget xw, + + if (check_fontname(*nameOutP)) { + +- if (xtermOpenFont(xw, *nameOutP, infoOut, False) ++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False) + && is_derived_font_name(*nameOutP) + && !compatibleWideCounts(wideInfoRef->fs, infoOut->fs)) { + xtermCloseFont2(xw, infoOut - fWBold, fWBold); +@@ -1505,6 +1516,10 @@ loadWBoldFP(XtermWidget xw, + } + #endif + ++/* ++ * Load a given bitmap font, along with the bold/wide variants. ++ * Returns nonzero on success. ++ */ + int + xtermLoadFont(XtermWidget xw, + const VTFontNames * fonts, +@@ -1514,33 +1529,37 @@ xtermLoadFont(XtermWidget xw, + TScreen *screen = TScreenOf(xw); + VTwin *win = WhichVWin(screen); + +- VTFontNames myfonts; +- XTermFonts fnts[fMAX]; ++ VTFontNames new_fnames; ++ XTermFonts new_fonts[fMAX]; ++ XTermFonts old_fonts[fMAX]; + char *tmpname = NULL; + Boolean proportional = False; ++ Boolean recovered; ++ int code = 0; + +- memset(&myfonts, 0, sizeof(myfonts)); +- memset(fnts, 0, sizeof(fnts)); ++ memset(&new_fnames, 0, sizeof(new_fnames)); ++ memset(new_fonts, 0, sizeof(new_fonts)); ++ memcpy(&old_fonts, screen->fnts, sizeof(old_fonts)); + + if (fonts != 0) +- myfonts = *fonts; +- if (!check_fontname(myfonts.f_n)) +- return 0; ++ new_fnames = *fonts; ++ if (!check_fontname(new_fnames.f_n)) ++ return code; + + if (fontnum == fontMenu_fontescape +- && myfonts.f_n != screen->MenuFontName(fontnum)) { +- if ((tmpname = x_strdup(myfonts.f_n)) == 0) +- return 0; ++ && new_fnames.f_n != screen->MenuFontName(fontnum)) { ++ if ((tmpname = x_strdup(new_fnames.f_n)) == 0) ++ return code; + } + +- TRACE(("Begin Cgs - xtermLoadFont(%s)\n", myfonts.f_n)); ++ TRACE(("Begin Cgs - xtermLoadFont(%s)\n", new_fnames.f_n)); + releaseWindowGCs(xw, win); + + #define DbgResource(name, field, index) \ + TRACE(("xtermLoadFont #%d "name" %s%s\n", \ + fontnum, \ +- (fnts[index].warn == fwResource) ? "*" : " ", \ +- NonNull(myfonts.field))) ++ (new_fonts[index].warn == fwResource) ? "*" : " ", \ ++ NonNull(new_fnames.field))) + DbgResource("normal", f_n, fNorm); + DbgResource("bold ", f_b, fBold); + #if OPT_WIDE_CHARS +@@ -1549,16 +1568,17 @@ xtermLoadFont(XtermWidget xw, + #endif + + if (!loadNormFP(xw, +- &myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_n, ++ &new_fonts[fNorm], ++ &old_fonts[fNorm], + fontnum)) + goto bad; + + if (!loadBoldFP(xw, +- &myfonts.f_b, +- &fnts[fBold], +- myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_b, ++ &new_fonts[fBold], ++ new_fnames.f_n, ++ &new_fonts[fNorm], + fontnum)) + goto bad; + +@@ -1570,20 +1590,20 @@ xtermLoadFont(XtermWidget xw, + if_OPT_WIDE_CHARS(screen, { + + if (!loadWideFP(xw, +- &myfonts.f_w, +- &fnts[fWide], +- myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_w, ++ &new_fonts[fWide], ++ new_fnames.f_n, ++ &new_fonts[fNorm], + fontnum)) + goto bad; + + if (!loadWBoldFP(xw, +- &myfonts.f_wb, +- &fnts[fWBold], +- myfonts.f_w, +- &fnts[fWide], +- myfonts.f_b, +- &fnts[fBold], ++ &new_fnames.f_wb, ++ &new_fonts[fWBold], ++ new_fnames.f_w, ++ &new_fonts[fWide], ++ new_fnames.f_b, ++ &new_fonts[fBold], + fontnum)) + goto bad; + +@@ -1593,30 +1613,30 @@ xtermLoadFont(XtermWidget xw, + * Normal/bold fonts should be the same width. Also, the min/max + * values should be the same. + */ +- if (fnts[fNorm].fs != 0 +- && fnts[fBold].fs != 0 +- && (!is_fixed_font(fnts[fNorm].fs) +- || !is_fixed_font(fnts[fBold].fs) +- || differing_widths(fnts[fNorm].fs, fnts[fBold].fs))) { ++ if (new_fonts[fNorm].fs != 0 ++ && new_fonts[fBold].fs != 0 ++ && (!is_fixed_font(new_fonts[fNorm].fs) ++ || !is_fixed_font(new_fonts[fBold].fs) ++ || differing_widths(new_fonts[fNorm].fs, new_fonts[fBold].fs))) { + TRACE(("Proportional font! normal %d/%d, bold %d/%d\n", +- fnts[fNorm].fs->min_bounds.width, +- fnts[fNorm].fs->max_bounds.width, +- fnts[fBold].fs->min_bounds.width, +- fnts[fBold].fs->max_bounds.width)); ++ new_fonts[fNorm].fs->min_bounds.width, ++ new_fonts[fNorm].fs->max_bounds.width, ++ new_fonts[fBold].fs->min_bounds.width, ++ new_fonts[fBold].fs->max_bounds.width)); + proportional = True; + } + + if_OPT_WIDE_CHARS(screen, { +- if (fnts[fWide].fs != 0 +- && fnts[fWBold].fs != 0 +- && (!is_fixed_font(fnts[fWide].fs) +- || !is_fixed_font(fnts[fWBold].fs) +- || differing_widths(fnts[fWide].fs, fnts[fWBold].fs))) { ++ if (new_fonts[fWide].fs != 0 ++ && new_fonts[fWBold].fs != 0 ++ && (!is_fixed_font(new_fonts[fWide].fs) ++ || !is_fixed_font(new_fonts[fWBold].fs) ++ || differing_widths(new_fonts[fWide].fs, new_fonts[fWBold].fs))) { + TRACE(("Proportional font! wide %d/%d, wide bold %d/%d\n", +- fnts[fWide].fs->min_bounds.width, +- fnts[fWide].fs->max_bounds.width, +- fnts[fWBold].fs->min_bounds.width, +- fnts[fWBold].fs->max_bounds.width)); ++ new_fonts[fWide].fs->min_bounds.width, ++ new_fonts[fWide].fs->max_bounds.width, ++ new_fonts[fWBold].fs->min_bounds.width, ++ new_fonts[fWBold].fs->max_bounds.width)); + proportional = True; + } + }); +@@ -1635,13 +1655,13 @@ xtermLoadFont(XtermWidget xw, + screen->ifnts_ok = False; + #endif + +- xtermCopyFontInfo(GetNormalFont(screen, fNorm), &fnts[fNorm]); +- xtermCopyFontInfo(GetNormalFont(screen, fBold), &fnts[fBold]); ++ xtermCopyFontInfo(GetNormalFont(screen, fNorm), &new_fonts[fNorm]); ++ xtermCopyFontInfo(GetNormalFont(screen, fBold), &new_fonts[fBold]); + #if OPT_WIDE_CHARS +- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]); +- if (fnts[fWBold].fs == NULL) +- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]); +- xtermCopyFontInfo(GetNormalFont(screen, fWBold), &fnts[fWBold]); ++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]); ++ if (new_fonts[fWBold].fs == NULL) ++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]); ++ xtermCopyFontInfo(GetNormalFont(screen, fWBold), &new_fonts[fWBold]); + #endif + + xtermUpdateFontGCs(xw, getNormalFont); +@@ -1672,7 +1692,7 @@ xtermLoadFont(XtermWidget xw, + unsigned ch; + + #if OPT_TRACE +-#define TRACE_MISS(index) show_font_misses(#index, &fnts[index]) ++#define TRACE_MISS(index) show_font_misses(#index, &new_fonts[index]) + TRACE_MISS(fNorm); + TRACE_MISS(fBold); + #if OPT_WIDE_CHARS +@@ -1689,8 +1709,8 @@ xtermLoadFont(XtermWidget xw, + if ((n != UCS_REPL) + && (n != ch) + && (screen->fnt_boxes & 2)) { +- if (xtermMissingChar(n, &fnts[fNorm]) || +- xtermMissingChar(n, &fnts[fBold])) { ++ if (xtermMissingChar(n, &new_fonts[fNorm]) || ++ xtermMissingChar(n, &new_fonts[fBold])) { + UIntClr(screen->fnt_boxes, 2); + TRACE(("missing graphics character #%d, U+%04X\n", + ch, n)); +@@ -1702,12 +1722,12 @@ xtermLoadFont(XtermWidget xw, + #endif + + for (ch = 1; ch < 32; ch++) { +- if (xtermMissingChar(ch, &fnts[fNorm])) { ++ if (xtermMissingChar(ch, &new_fonts[fNorm])) { + TRACE(("missing normal char #%d\n", ch)); + UIntClr(screen->fnt_boxes, 1); + break; + } +- if (xtermMissingChar(ch, &fnts[fBold])) { ++ if (xtermMissingChar(ch, &new_fonts[fBold])) { + TRACE(("missing bold char #%d\n", ch)); + UIntClr(screen->fnt_boxes, 1); + break; +@@ -1724,8 +1744,8 @@ xtermLoadFont(XtermWidget xw, + screen->enbolden = screen->bold_mode; + } else { + screen->enbolden = screen->bold_mode +- && ((fnts[fNorm].fs == fnts[fBold].fs) +- || same_font_name(myfonts.f_n, myfonts.f_b)); ++ && ((new_fonts[fNorm].fs == new_fonts[fBold].fs) ++ || same_font_name(new_fnames.f_n, new_fnames.f_b)); + } + TRACE(("Will %suse 1-pixel offset/overstrike to simulate bold\n", + screen->enbolden ? "" : "not ")); +@@ -1741,7 +1761,7 @@ xtermLoadFont(XtermWidget xw, + update_font_escape(); + } + #if OPT_SHIFT_FONTS +- screen->menu_font_sizes[fontnum] = FontSize(fnts[fNorm].fs); ++ screen->menu_font_sizes[fontnum] = FontSize(new_fonts[fNorm].fs); + #endif + } + set_cursor_gcs(xw); +@@ -1756,20 +1776,21 @@ xtermLoadFont(XtermWidget xw, + FREE_FNAME(f_w); + FREE_FNAME(f_wb); + #endif +- if (fnts[fNorm].fn == fnts[fBold].fn) { +- free(fnts[fNorm].fn); ++ if (new_fonts[fNorm].fn == new_fonts[fBold].fn) { ++ free(new_fonts[fNorm].fn); + } else { +- free(fnts[fNorm].fn); +- free(fnts[fBold].fn); ++ free(new_fonts[fNorm].fn); ++ free(new_fonts[fBold].fn); + } + #if OPT_WIDE_CHARS +- free(fnts[fWide].fn); +- free(fnts[fWBold].fn); ++ free(new_fonts[fWide].fn); ++ free(new_fonts[fWBold].fn); + #endif + xtermSetWinSize(xw); + return 1; + + bad: ++ recovered = False; + if (tmpname) + free(tmpname); + +@@ -1780,15 +1801,15 @@ xtermLoadFont(XtermWidget xw, + SetItemSensitivity(fontMenuEntries[fontnum].widget, True); + #endif + Bell(xw, XkbBI_MinorError, 0); +- myfonts.f_n = screen->MenuFontName(old_fontnum); +- return xtermLoadFont(xw, &myfonts, doresize, old_fontnum); +- } else if (x_strcasecmp(myfonts.f_n, DEFFONT)) { +- int code; +- +- myfonts.f_n = x_strdup(DEFFONT); +- TRACE(("...recovering for TrueType fonts\n")); +- code = xtermLoadFont(xw, &myfonts, doresize, fontnum); +- if (code) { ++ new_fnames.f_n = screen->MenuFontName(old_fontnum); ++ if (xtermLoadFont(xw, &new_fnames, doresize, old_fontnum)) ++ recovered = True; ++ } else if (x_strcasecmp(new_fnames.f_n, DEFFONT) ++ && x_strcasecmp(new_fnames.f_n, old_fonts[fNorm].fn)) { ++ new_fnames.f_n = x_strdup(old_fonts[fNorm].fn); ++ TRACE(("...recovering from failed font-load\n")); ++ if (xtermLoadFont(xw, &new_fnames, doresize, fontnum)) { ++ recovered = True; + if (fontnum != fontMenu_fontsel) { + SetItemSensitivity(fontMenuEntries[fontnum].widget, + UsingRenderFont(xw)); +@@ -1797,15 +1818,15 @@ xtermLoadFont(XtermWidget xw, + FontHeight(screen), + FontWidth(screen))); + } +- return code; + } + #endif +- +- releaseWindowGCs(xw, win); +- +- xtermCloseFonts(xw, fnts); +- TRACE(("Fail Cgs - xtermLoadFont\n")); +- return 0; ++ if (!recovered) { ++ releaseWindowGCs(xw, win); ++ xtermCloseFonts(xw, new_fonts); ++ TRACE(("Fail Cgs - xtermLoadFont\n")); ++ code = 0; ++ } ++ return code; + } + + #if OPT_WIDE_ATTRS +@@ -1853,7 +1874,7 @@ xtermLoadItalics(XtermWidget xw) + } else { + xtermOpenFont(xw, + getNormalFont(screen, n)->fn, +- data, False); ++ data, NULL, False); + } + } + } +@@ -4317,7 +4338,7 @@ lookupOneFontSize(XtermWidget xw, int fontnum) + + memset(&fnt, 0, sizeof(fnt)); + screen->menu_font_sizes[fontnum] = -1; +- if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, True)) { ++ if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, NULL, True)) { + if (fontnum <= fontMenu_lastBuiltin + || strcmp(fnt.fn, DEFFONT)) { + screen->menu_font_sizes[fontnum] = FontSize(fnt.fs); +@@ -4722,13 +4743,14 @@ HandleSetFont(Widget w GCC_UNUSED, + } + } + +-void ++Bool + SetVTFont(XtermWidget xw, + int which, + Bool doresize, + const VTFontNames * fonts) + { + TScreen *screen = TScreenOf(xw); ++ Bool result = False; + + TRACE(("SetVTFont(which=%d, f_n=%s, f_b=%s)\n", which, + (fonts && fonts->f_n) ? fonts->f_n : "<null>", +@@ -4737,34 +4759,31 @@ SetVTFont(XtermWidget xw, + if (IsIcon(screen)) { + Bell(xw, XkbBI_MinorError, 0); + } else if (which >= 0 && which < NMENUFONTS) { +- VTFontNames myfonts; ++ VTFontNames new_fnames; + +- memset(&myfonts, 0, sizeof(myfonts)); ++ memset(&new_fnames, 0, sizeof(new_fnames)); + if (fonts != 0) +- myfonts = *fonts; ++ new_fnames = *fonts; + + if (which == fontMenu_fontsel) { /* go get the selection */ +- FindFontSelection(xw, myfonts.f_n, False); ++ result = FindFontSelection(xw, new_fnames.f_n, False); + } else { +- int oldFont = screen->menu_font_number; +- + #define USE_CACHED(field, name) \ +- if (myfonts.field == 0) { \ +- myfonts.field = x_strdup(screen->menu_font_names[which][name]); \ +- TRACE(("set myfonts." #field " from menu_font_names[%d][" #name "] %s\n", \ +- which, NonNull(myfonts.field))); \ ++ if (new_fnames.field == NULL) { \ ++ new_fnames.field = x_strdup(screen->menu_font_names[which][name]); \ ++ TRACE(("set new_fnames." #field " from menu_font_names[%d][" #name "] %s\n", \ ++ which, NonNull(new_fnames.field))); \ + } else { \ +- TRACE(("set myfonts." #field " reused\n")); \ ++ TRACE(("set new_fnames." #field " reused\n")); \ + } + #define SAVE_FNAME(field, name) \ +- if (myfonts.field != 0) { \ +- if (screen->menu_font_names[which][name] == 0 \ +- || strcmp(screen->menu_font_names[which][name], myfonts.field)) { \ +- TRACE(("updating menu_font_names[%d][" #name "] to %s\n", \ +- which, myfonts.field)); \ +- FREE_STRING(screen->menu_font_names[which][name]); \ +- screen->menu_font_names[which][name] = x_strdup(myfonts.field); \ +- } \ ++ if (new_fnames.field != NULL \ ++ && (screen->menu_font_names[which][name] == NULL \ ++ || strcmp(screen->menu_font_names[which][name], new_fnames.field))) { \ ++ TRACE(("updating menu_font_names[%d][" #name "] to \"%s\"\n", \ ++ which, new_fnames.field)); \ ++ FREE_STRING(screen->menu_font_names[which][name]); \ ++ screen->menu_font_names[which][name] = x_strdup(new_fnames.field); \ + } + + USE_CACHED(f_n, fNorm); +@@ -4774,7 +4793,7 @@ SetVTFont(XtermWidget xw, + USE_CACHED(f_wb, fWBold); + #endif + if (xtermLoadFont(xw, +- &myfonts, ++ &new_fnames, + doresize, which)) { + /* + * If successful, save the data so that a subsequent query via +@@ -4786,10 +4805,8 @@ SetVTFont(XtermWidget xw, + SAVE_FNAME(f_w, fWide); + SAVE_FNAME(f_wb, fWBold); + #endif ++ result = True; + } else { +- (void) xtermLoadFont(xw, +- xtermFontName(screen->MenuFontName(oldFont)), +- doresize, oldFont); + Bell(xw, XkbBI_MinorError, 0); + } + FREE_FNAME(f_n); +@@ -4802,7 +4819,8 @@ SetVTFont(XtermWidget xw, + } else { + Bell(xw, XkbBI_MinorError, 0); + } +- return; ++ TRACE(("...SetVTFont: %d\n", result)); ++ return result; + } + + #if OPT_RENDERFONT +diff --git a/fontutils.h b/fontutils.h +index 9d530c5..ceaf44a 100644 +--- a/fontutils.h ++++ b/fontutils.h +@@ -37,7 +37,7 @@ + /* *INDENT-OFF* */ + + extern Bool xtermLoadDefaultFonts (XtermWidget /* xw */); +-extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, Bool /* force */); ++extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, XTermFonts * /* current */, Bool /* force */); + extern XTermFonts * getDoubleFont (TScreen * /* screen */, int /* which */); + extern XTermFonts * getItalicFont (TScreen * /* screen */, int /* which */); + extern XTermFonts * getNormalFont (TScreen * /* screen */, int /* which */); +@@ -50,7 +50,7 @@ extern int lookupRelativeFontSize (XtermWidget /* xw */, int /* old */, int /* r + extern int xtermGetFont (const char * /* param */); + extern int xtermLoadFont (XtermWidget /* xw */, const VTFontNames */* fonts */, Bool /* doresize */, int /* fontnum */); + extern void HandleSetFont PROTO_XT_ACTIONS_ARGS; +-extern void SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */); ++extern Bool SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */); + extern void allocFontList (XtermWidget /* xw */, const char * /* name */, XtermFontNames * /* target */, VTFontEnum /* which */, const char * /* source */, Bool /* ttf */); + extern void copyFontList (char *** /* targetp */, char ** /* source */); + extern void initFontLists (XtermWidget /* xw */); +diff --git a/misc.c b/misc.c +index cc323f8..6c5e938 100644 +--- a/misc.c ++++ b/misc.c +@@ -3787,9 +3787,9 @@ ChangeFontRequest(XtermWidget xw, String buf) + { + memset(&fonts, 0, sizeof(fonts)); + fonts.f_n = name; +- SetVTFont(xw, num, True, &fonts); +- if (num == screen->menu_font_number && +- num != fontMenu_fontescape) { ++ if (SetVTFont(xw, num, True, &fonts) ++ && num == screen->menu_font_number ++ && num != fontMenu_fontescape) { + screen->EscapeFontName() = x_strdup(name); + } + } +@@ -6237,7 +6237,6 @@ xtermSetenv(const char *var, const char *value) + + found = envindex; + environ[found + 1] = NULL; +- environ = environ; + } + + environ[found] = TextAlloc(1 + len + strlen(value)); +diff --git a/screen.c b/screen.c +index 690e3e2..f84254f 100644 +--- a/screen.c ++++ b/screen.c +@@ -1497,7 +1497,7 @@ ScrnRefresh(XtermWidget xw, + screen->topline, toprow, leftcol, + nrows, ncols, + force ? " force" : "")); +- ++ (void) recurse; + ++recurse; + + if (screen->cursorp.col >= leftcol +diff --git a/xterm.h b/xterm.h +index ec70e43..aa71f96 100644 +--- a/xterm.h ++++ b/xterm.h +@@ -967,7 +967,7 @@ extern Bool CheckBufPtrs (TScreen * /* screen */); + extern Bool set_cursor_gcs (XtermWidget /* xw */); + extern char * vt100ResourceToString (XtermWidget /* xw */, const char * /* name */); + extern int VTInit (XtermWidget /* xw */); +-extern void FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */); ++extern Bool FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */); + extern void HideCursor (void); + extern void RestartBlinking(XtermWidget /* xw */); + extern void ShowCursor (void); +diff --git a/xterm.log.html b/xterm.log.html +index 47d590b..e27dc31 100644 +--- a/xterm.log.html ++++ b/xterm.log.html +@@ -991,6 +991,12 @@ + 2020/02/01</a></h1> + + <ul> ++ <li>improve error-recovery when setting a bitmap font for the ++ VT100 window, e.g., in case <em>OSC 50</em> failed, ++ restoring the most recent valid font so that a subsequent ++ <em>OSC 50</em> reports this correctly (report by David ++ Leadbeater).</li> ++ + <li>amend change in <a href="#xterm_352">patch #352</a> for + button-events to fix a case where some followup events were not + processed soon enough (report/patch by Jimmy Aguilar +-- +2.24.4 + diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb index 06c285924d..4e2b0c9d53 100644 --- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb +++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb @@ -6,8 +6,10 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \ file://0001-Add-configure-time-check-for-setsid.patch \ + file://CVE-2021-27135.patch \ + file://CVE-2022-24130.patch \ + file://CVE-2022-45063.patch \ " - SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f" SRC_URI[sha256sum] = "e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768" PACKAGECONFIG ?= "" diff --git a/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb b/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb index b436ef1e4a..3d60ed1310 100644 --- a/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb +++ b/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=10ce5de3b111315ea652a5f74ec0c602" DEPENDS += "virtual/libx11 libdrm xorgproto" SRCREV = "8bbdb2ae3bb8ef649999a8da33ddbe11a04763b8" -SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-armsoc" +SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-armsoc;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/yad/yad_6.0.bb b/meta-oe/recipes-graphics/yad/yad_6.0.bb index 3760a37d31..92a5c284b3 100644 --- a/meta-oe/recipes-graphics/yad/yad_6.0.bb +++ b/meta-oe/recipes-graphics/yad/yad_6.0.bb @@ -5,7 +5,7 @@ AUTHOR = "Victor Ananjevsky" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" -SRC_URI = "git://github.com/v1cont/yad.git" +SRC_URI = "git://github.com/v1cont/yad.git;branch=master;protocol=https" SRCREV = "a5b1a7a3867bc7dffbbc539f586f301687b6ec02" inherit autotools gsettings features_check diff --git a/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb b/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb index 2eb19206d3..57232f8d5f 100644 --- a/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb +++ b/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb @@ -10,7 +10,7 @@ EXTRA_OEMAKE = "'CC=${CC}'" SRCREV = "468fe4c31e6c62c9bbb328b06ba71eaf7be0b76a" -SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kgdb/agent-proxy.git;protocol=git \ +SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kgdb/agent-proxy.git;protocol=git;branch=master \ file://0001-Makefile-Add-LDFLAGS-variable.patch \ " diff --git a/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb b/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb index 8c474ecdc4..b6fbccfbf5 100644 --- a/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb +++ b/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb @@ -9,7 +9,7 @@ LICENSE = "Firmware-Broadcom-WIDCOMM" NO_GENERIC_LICENSE[Firmware-Broadcom-WIDCOMM] = "LICENSE.broadcom_bcm20702" LIC_FILES_CHKSUM = "file://LICENSE.broadcom_bcm20702;md5=c0d5ea0502b00df74173d0f8a48b619d" -SRC_URI = "git://github.com/winterheart/broadcom-bt-firmware.git" +SRC_URI = "git://github.com/winterheart/broadcom-bt-firmware.git;branch=master;protocol=https" SRCREV = "c0bd928b8ae5754b6077c99afe6ef5c949a58f32" PE = "1" PV = "0.0+git${SRCPV}" diff --git a/meta-oe/recipes-kernel/crash/crash_7.2.8.bb b/meta-oe/recipes-kernel/crash/crash_7.2.8.bb index 834c92cc46..5dd2c0aa0d 100644 --- a/meta-oe/recipes-kernel/crash/crash_7.2.8.bb +++ b/meta-oe/recipes-kernel/crash/crash_7.2.8.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING3;md5=d32239bcb673463ab874e80d47fae504" DEPENDS = "zlib readline coreutils-native ncurses-native" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/crash-utility/${BPN}.git \ +SRC_URI = "git://github.com/crash-utility/${BPN}.git;branch=master;protocol=https \ ${GNU_MIRROR}/gdb/gdb-7.6.tar.gz;name=gdb;subdir=git \ file://7001force_define_architecture.patch \ file://7003cross_ranlib.patch \ diff --git a/meta-oe/recipes-kernel/kpatch/kpatch.inc b/meta-oe/recipes-kernel/kpatch/kpatch.inc index 1f70f72054..685be7d40c 100644 --- a/meta-oe/recipes-kernel/kpatch/kpatch.inc +++ b/meta-oe/recipes-kernel/kpatch/kpatch.inc @@ -3,7 +3,7 @@ DESCRIPTION = "kpatch is a Linux dynamic kernel patching infrastructure which al LICENSE = "GPLv2 & LGPLv2" DEPENDS = "elfutils bash" -SRC_URI = "git://github.com/dynup/kpatch.git;protocol=https \ +SRC_URI = "git://github.com/dynup/kpatch.git;protocol=https;branch=master \ file://0001-kpatch-build-add-cross-compilation-support.patch \ file://0002-kpatch-build-allow-overriding-of-distro-name.patch \ " diff --git a/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb b/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb index d381c83ae8..8188ae599d 100644 --- a/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb +++ b/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb @@ -13,7 +13,7 @@ SRCREV = "16a0d44f1725eaa93096eaa0e086f42ef4c2712c" PR .= "+git${SRCPV}" -SRC_URI = "git://github.com/diamon/minicoredumper;protocol=https \ +SRC_URI = "git://github.com/diamon/minicoredumper;protocol=https;branch=master \ file://minicoredumper.service \ file://minicoredumper.init \ " diff --git a/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb b/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb index a1378866ad..78d9c36c92 100644 --- a/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb +++ b/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb @@ -6,7 +6,7 @@ LICENSE = "GPL-2" LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e" SRCREV = "cf59527dc24fdd2f314ae4dcaeb3d68a117988f6" -SRC_URI = "git://github.com/intel/pm-graph.git \ +SRC_URI = "git://github.com/intel/pm-graph.git;branch=master;protocol=https \ file://0001-Makefile-fix-multilib-build-failure.patch \ file://0001-sleepgraph.py-use-python3.patch \ " diff --git a/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb b/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb index 5fffe77c2d..e33a3f2574 100644 --- a/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb +++ b/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb @@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " libexecinfo" SRCREV = "de37569c926c5886768f892c019e3f0468615038" SRC_URI = " \ - git://github.com/linuxaudio/a2jmidid;protocol=https \ + git://github.com/linuxaudio/a2jmidid;protocol=https;branch=master \ file://riscv_ucontext.patch \ " diff --git a/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb b/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb index e954341ffe..dbf4c1ae74 100644 --- a/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb +++ b/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = " \ DEPENDS = "libsamplerate0 libsndfile1 readline" -SRC_URI = "git://github.com/jackaudio/jack2.git \ +SRC_URI = "git://github.com/jackaudio/jack2.git;branch=master;protocol=https \ file://0001-example-clients-Use-c-compiler-for-jack_simdtests.patch \ " SRCREV = "b54a09bf7ef760d81fdb8544ad10e45575394624" diff --git a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb index 3454a5c270..f6c64212fe 100644 --- a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb +++ b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a42532a0684420bdb15556c3cdd49a75" DEPENDS = "enca fontconfig freetype libpng fribidi" -SRC_URI = "git://github.com/libass/libass.git" +SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https" SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb b/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb index 70a39c7b60..13979ae9b9 100644 --- a/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb +++ b/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb @@ -17,7 +17,7 @@ LICENSE_FLAGS = "commercial" SRCREV_mpv = "70b991749df389bcc0a4e145b5687233a03b4ed7" SRC_URI = " \ - git://github.com/mpv-player/mpv;name=mpv \ + git://github.com/mpv-player/mpv;name=mpv;branch=master;protocol=https \ https://waf.io/waf-2.0.20;name=waf;subdir=git \ " SRC_URI[waf.sha256sum] = "bf971e98edc2414968a262c6aa6b88541a26c3cd248689c89f4c57370955ee7f" diff --git a/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb b/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb index bcb3015f8b..f6cefd8107 100644 --- a/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb +++ b/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb @@ -11,7 +11,7 @@ DEPENDS = "alsa-lib dbus udev" SRCREV = "14c11c0fe4d366bad4cfecdee97b6652ff9ed63d" PV = "0.2.7" -SRC_URI = "git://github.com/PipeWire/pipewire" +SRC_URI = "git://github.com/PipeWire/pipewire;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb b/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb index 1a415c13c3..c55432d3bd 100644 --- a/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb +++ b/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb @@ -11,7 +11,7 @@ DEPENDS = "alsa-lib dbus udev" SRCREV = "74a1632f0720886d5b3b6c23ee8fcd6c03ca7aac" PV = "0.3.1" -SRC_URI = "git://github.com/PipeWire/pipewire" +SRC_URI = "git://github.com/PipeWire/pipewire;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb b/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb index a192d1a3bb..98542ffe61 100644 --- a/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb +++ b/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb @@ -2,7 +2,7 @@ SUMMARY = "Yet Another V4L2 Test Application" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe" -SRC_URI = "git://git.ideasonboard.org/yavta.git \ +SRC_URI = "git://git.ideasonboard.org/yavta.git;branch=master \ file://0001-Add-stdout-mode-to-allow-streaming-over-the-network-.patch" SRCREV = "7e9f28bedc1ed3205fb5164f686aea96f27a0de2" diff --git a/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb b/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb index 4a98ec17dd..d607bbebe8 100644 --- a/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb +++ b/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb @@ -8,7 +8,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d5b04755015be901744a78cc30d390d4" SRCREV = "7ec7a33a081aeeb53fed1a8d87e4cbd189152527" -SRC_URI += "git://chromium.googlesource.com/webm/libvpx;protocol=https \ +SRC_URI += "git://chromium.googlesource.com/webm/libvpx;protocol=https;branch=master \ file://libvpx-configure-support-blank-prefix.patch \ " diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 589bb90e6e..ff1b9ec875 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -7,7 +7,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=516215fd57564996d70327db19b368ff" SECTION = "console/utils" DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng" -DEPENDS_class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native" SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz" @@ -23,13 +22,6 @@ EXTRA_OECONF += " --enable-ghostscript --disable-ldap \ --with-rcdir=no \ --without-php" -EXTRA_OECONF_class-native += " --with-pdftops=pdftops \ - --disable-avahi --disable-ghostscript \ - --disable-ldap \ - --with-png --without-jpeg --without-tiff" - -BBCLASSEXTEND = "native" - PACKAGECONFIG[jpeg] = "--with-jpeg,--without-jpeg,jpeg" PACKAGECONFIG[png] = "--with-png,--without-png,libpng" PACKAGECONFIG[tiff] = "--with-tiff,--without-tiff,tiff" diff --git a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb b/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb index 0a8c2e4834..879dbe5cae 100644 --- a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb +++ b/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb @@ -31,6 +31,9 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ LIBDIR=${libdir} \ USRLIBDIR=${libdir} \ INCLUDEDIR=${includedir} \ + ETCDIR=${sysconfdir} \ + SHAREDIR=${datadir}/keyutils \ + MANDIR=${datadir}/man \ BUILDFOR=${SITEINFO_BITS}-bit \ NO_GLIBC_KEYERR=1 \ " @@ -40,18 +43,6 @@ do_install () { oe_runmake DESTDIR=${D} install } -do_install_append_class-nativesdk() { - install -d ${D}${datadir} - src_dir="${D}${target_datadir}" - mv $src_dir/* ${D}${datadir} - par_dir=`dirname $src_dir` - rmdir $src_dir $par_dir - - install -d ${D}${sysconfdir} - mv ${D}/etc/* ${D}${sysconfdir}/ - rmdir ${D}/etc -} - do_install_ptest () { cp -r ${S}/tests ${D}${PTEST_PATH}/ sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh diff --git a/meta-oe/recipes-security/softhsm/softhsm_git.bb b/meta-oe/recipes-security/softhsm/softhsm_git.bb index 3236cb9a60..4ceda3d4b8 100644 --- a/meta-oe/recipes-security/softhsm/softhsm_git.bb +++ b/meta-oe/recipes-security/softhsm/softhsm_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210" DEPENDS = "openssl" PV = "2.5.0" -SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master" +SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master;protocol=https" SRCREV = "369df0383d101bc8952692c2a368ac8bc887d1b4" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb b/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb index 4ea6c8a295..8df94d91e2 100644 --- a/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb +++ b/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb @@ -4,7 +4,7 @@ SUMMARY = "Ace is a code editor written in JavaScript. This repository has only LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=794d11c5219c59c9efa2487c2b4066b2" -SRC_URI = "git://github.com/ajaxorg/ace-builds.git;protocol=https" +SRC_URI = "git://github.com/ajaxorg/ace-builds.git;protocol=https;branch=master" PV = "02.07.17+git${SRCPV}" SRCREV = "812e2c56aed246931a667f16c28b096e34597016" diff --git a/meta-oe/recipes-support/anthy/anthy_9100h.bb b/meta-oe/recipes-support/anthy/anthy_9100h.bb index a65d324eae..b464c00003 100644 --- a/meta-oe/recipes-support/anthy/anthy_9100h.bb +++ b/meta-oe/recipes-support/anthy/anthy_9100h.bb @@ -10,8 +10,8 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/anthy/37536/anthy-9100h.tar.gz \ file://2ch_t.patch \ " -SRC_URI_append_class-target = "file://target-helpers.patch" -SRC_URI_append_class-native = "file://native-helpers.patch" +SRC_URI_append_class-target = " file://target-helpers.patch" +SRC_URI_append_class-native = " file://native-helpers.patch" SRC_URI[md5sum] = "1f558ff7ed296787b55bb1c6cf131108" SRC_URI[sha256sum] = "d256f075f018b4a3cb0d165ed6151fda4ba7db1621727e0eb54569b6e2275547" diff --git a/meta-oe/recipes-support/avro/avro-c_1.9.2.bb b/meta-oe/recipes-support/avro/avro-c_1.9.2.bb index 0642179fb3..e85f341f1f 100644 --- a/meta-oe/recipes-support/avro/avro-c_1.9.2.bb +++ b/meta-oe/recipes-support/avro/avro-c_1.9.2.bb @@ -9,7 +9,7 @@ DEPENDS = "jansson zlib xz" BRANCH = "branch-1.9" SRCREV = "bf20128ca6138a830b2ea13e0490f3df6b035639" -SRC_URI = "git://github.com/apache/avro;branch=${BRANCH} \ +SRC_URI = "git://github.com/apache/avro;branch=${BRANCH};protocol=https \ file://0001-cmake-Use-GNUInstallDirs-instead-of-hard-coded-paths.patch;patchdir=../../ \ " diff --git a/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb b/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb index 407de21385..d7d0b9c154 100644 --- a/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb +++ b/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb @@ -24,7 +24,7 @@ LIC_FILES_CHKSUM = "file://README.QUICK;md5=81b447d779e278628c843aef92f088fa" DEPENDS = "libatomic-ops" SRCREV = "d3dede3ce4462cd82a15f161af797ca51654546a" -SRC_URI = "git://github.com/ivmai/bdwgc.git;branch=release-8_0" +SRC_URI = "git://github.com/ivmai/bdwgc.git;branch=release-8_0;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch deleted file mode 100644 index 8f15f8424c..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f2f1e134bf5d9d0789942848e03006af8d926cf8 Mon Sep 17 00:00:00 2001 -From: Wang Mingyu <wangmy@cn.fujitsu.com> -Date: Tue, 17 Mar 2020 12:53:35 +0800 -Subject: [PATCH] fix configure error : mv libcares.pc.cmakein to - libcares.pc.cmake - -Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> ---- - CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 3a5878d..c2e5740 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -563,7 +563,7 @@ IF (CARES_STATIC) - ENDIF() - - # Write ares_config.h configuration file. This is used only for the build. --CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+CONFIGURE_FILE (libcares.pc.cmake ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) - - - --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch new file mode 100644 index 0000000000..fb0aee372f --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch @@ -0,0 +1,67 @@ +From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul + +CVE: CVE-2022-4904 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index 51668a5c..3f9cec65 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index 63c6a228..ee845181 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch new file mode 100644 index 0000000000..603d2687d5 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch @@ -0,0 +1,329 @@ +From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:34 -0400 +Subject: [PATCH] Merge pull request from GHSA-x6mf-cxr9-8q6v + +* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares. +* Always use our own IP conversion functions now, do not delegate to OS + so we can have consistency in testing and fuzzing. +* Removed bogus test cases that never should have passed. +* Add new test case for crash bug found. + +Fix By: Brad House (@bradh352) + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2] +CVE: CVE-2023-31130 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/inet_net_pton.c | 155 ++++++++++++++++++++----------------- + test/ares-test-internal.cc | 7 +- + 2 files changed, 86 insertions(+), 76 deletions(-) + +diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c +index 840de506..fc50425b 100644 +--- a/src/lib/inet_net_pton.c ++++ b/src/lib/inet_net_pton.c +@@ -1,19 +1,20 @@ + + /* +- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012 by Gilles Chehade <gilles@openbsd.org> + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * +- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE ++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL ++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR ++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS ++ * SOFTWARE. + */ + + #include "ares_setup.h" +@@ -35,9 +36,6 @@ + + const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }; + +- +-#ifndef HAVE_INET_NET_PTON +- + /* + * static int + * inet_net_pton_ipv4(src, dst, size) +@@ -60,7 +58,7 @@ const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0, + * Paul Vixie (ISC), June 1996 + */ + static int +-inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) ++ares_inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) + { + static const char xdigits[] = "0123456789abcdef"; + static const char digits[] = "0123456789"; +@@ -261,19 +259,14 @@ getv4(const char *src, unsigned char *dst, int *bitsp) + } + + static int +-inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++ares_inet_pton6(const char *src, unsigned char *dst) + { + static const char xdigits_l[] = "0123456789abcdef", +- xdigits_u[] = "0123456789ABCDEF"; ++ xdigits_u[] = "0123456789ABCDEF"; + unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *xdigits, *curtok; +- int ch, saw_xdigit; ++ int ch, saw_xdigit, count_xdigit; + unsigned int val; +- int digits; +- int bits; +- size_t bytes; +- int words; +- int ipv4; + + memset((tp = tmp), '\0', NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; +@@ -283,22 +276,22 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + if (*++src != ':') + goto enoent; + curtok = src; +- saw_xdigit = 0; ++ saw_xdigit = count_xdigit = 0; + val = 0; +- digits = 0; +- bits = -1; +- ipv4 = 0; + while ((ch = *src++) != '\0') { + const char *pch; + + if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) + pch = strchr((xdigits = xdigits_u), ch); + if (pch != NULL) { ++ if (count_xdigit >= 4) ++ goto enoent; + val <<= 4; +- val |= aresx_sztoui(pch - xdigits); +- if (++digits > 4) ++ val |= (pch - xdigits); ++ if (val > 0xffff) + goto enoent; + saw_xdigit = 1; ++ count_xdigit++; + continue; + } + if (ch == ':') { +@@ -308,78 +301,107 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + goto enoent; + colonp = tp; + continue; +- } else if (*src == '\0') ++ } else if (*src == '\0') { + goto enoent; ++ } + if (tp + NS_INT16SZ > endp) +- return (0); +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ goto enoent; ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + saw_xdigit = 0; +- digits = 0; ++ count_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && +- getv4(curtok, tp, &bits) > 0) { +- tp += NS_INADDRSZ; ++ ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) { ++ tp += INADDRSZ; + saw_xdigit = 0; +- ipv4 = 1; ++ count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } +- if (ch == '/' && getbits(src, &bits) > 0) +- break; + goto enoent; + } + if (saw_xdigit) { + if (tp + NS_INT16SZ > endp) + goto enoent; +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + } +- if (bits == -1) +- bits = 128; +- +- words = (bits + 15) / 16; +- if (words < 2) +- words = 2; +- if (ipv4) +- words = 8; +- endp = tmp + 2 * words; +- + if (colonp != NULL) { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ +- const ares_ssize_t n = tp - colonp; +- ares_ssize_t i; ++ const int n = tp - colonp; ++ int i; + + if (tp == endp) + goto enoent; + for (i = 1; i <= n; i++) { +- *(endp - i) = *(colonp + n - i); +- *(colonp + n - i) = 0; ++ endp[- i] = colonp[n - i]; ++ colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + goto enoent; + +- bytes = (bits + 7) / 8; +- if (bytes > size) +- goto emsgsize; +- memcpy(dst, tmp, bytes); +- return (bits); ++ memcpy(dst, tmp, NS_IN6ADDRSZ); ++ return (1); + +- enoent: ++enoent: + SET_ERRNO(ENOENT); + return (-1); + +- emsgsize: ++emsgsize: + SET_ERRNO(EMSGSIZE); + return (-1); + } + ++static int ++ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++{ ++ struct ares_in6_addr in6; ++ int ret; ++ int bits; ++ size_t bytes; ++ char buf[INET6_ADDRSTRLEN + sizeof("/128")]; ++ char *sep; ++ const char *errstr; ++ ++ if (strlen(src) >= sizeof buf) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ strncpy(buf, src, sizeof buf); ++ ++ sep = strchr(buf, '/'); ++ if (sep != NULL) ++ *sep++ = '\0'; ++ ++ ret = ares_inet_pton6(buf, (unsigned char *)&in6); ++ if (ret != 1) ++ return (-1); ++ ++ if (sep == NULL) ++ bits = 128; ++ else { ++ if (!getbits(sep, &bits)) { ++ SET_ERRNO(ENOENT); ++ return (-1); ++ } ++ } ++ ++ bytes = (bits + 7) / 8; ++ if (bytes > size) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ memcpy(dst, &in6, bytes); ++ return (bits); ++} ++ + /* + * int + * inet_net_pton(af, src, dst, size) +@@ -403,18 +425,15 @@ ares_inet_net_pton(int af, const char *src, void *dst, size_t size) + { + switch (af) { + case AF_INET: +- return (inet_net_pton_ipv4(src, dst, size)); ++ return (ares_inet_net_pton_ipv4(src, dst, size)); + case AF_INET6: +- return (inet_net_pton_ipv6(src, dst, size)); ++ return (ares_inet_net_pton_ipv6(src, dst, size)); + default: + SET_ERRNO(EAFNOSUPPORT); + return (-1); + } + } + +-#endif /* HAVE_INET_NET_PTON */ +- +-#ifndef HAVE_INET_PTON + int ares_inet_pton(int af, const char *src, void *dst) + { + int result; +@@ -434,11 +453,3 @@ int ares_inet_pton(int af, const char *src, void *dst) + return 0; + return (result > -1 ? 1 : -1); + } +-#else /* HAVE_INET_PTON */ +-int ares_inet_pton(int af, const char *src, void *dst) +-{ +- /* just relay this to the underlying function */ +- return inet_pton(af, src, dst); +-} +- +-#endif +diff --git a/test/ares-test-internal.cc b/test/ares-test-internal.cc +index 96d4edec..161f0a5c 100644 +--- a/test/ares-test-internal.cc ++++ b/test/ares-test-internal.cc +@@ -81,6 +81,7 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "12:34::ff/0", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "12:34::ffff:0.2", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); ++ EXPECT_EQ(2, ares_inet_net_pton(AF_INET6, "0::00:00:00/2", &a6, sizeof(a6))); + + // Various malformed versions + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET, "", &a4, sizeof(a4))); +@@ -118,11 +119,9 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234:", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678", &a6, sizeof(a6))); +- // TODO(drysdale): check whether the next two tests should give -1. +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:257.2.3.4", &a6, sizeof(a6))); +- EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:002.2.3.4", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5.6", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.z", &a6, sizeof(a6))); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch new file mode 100644 index 0000000000..ba17721a58 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch @@ -0,0 +1,717 @@ +From 823df3b989e59465d17b0a2eb1239a5fc048b4e5 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:06 -0400 +Subject: [PATCH] Merge pull request from GHSA-8r8p-23f3-64c2 + +* segment random number generation into own file + +* abstract random code to make it more modular so we can have multiple backends + +* rand: add support for arc4random_buf() and also direct CARES_RANDOM_FILE reading + +* autotools: fix detection of arc4random_buf + +* rework initial rc4 seed for PRNG as last fallback + +* rc4: more proper implementation, simplified for clarity + +* clarifications + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5] +CVE: CVE-2023-31147 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CMakeLists.txt | 2 + + configure.ac | 1 + + m4/cares-functions.m4 | 85 +++++++++++ + src/lib/Makefile.inc | 1 + + src/lib/ares_config.h.cmake | 3 + + src/lib/ares_destroy.c | 3 + + src/lib/ares_init.c | 82 ++--------- + src/lib/ares_private.h | 19 ++- + src/lib/ares_query.c | 36 +---- + src/lib/ares_rand.c | 274 ++++++++++++++++++++++++++++++++++++ + 10 files changed, 387 insertions(+), 119 deletions(-) + create mode 100644 src/lib/ares_rand.c + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 194485a3..1fb9af55 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -386,6 +386,8 @@ CHECK_SYMBOL_EXISTS (strncasecmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCAS + CHECK_SYMBOL_EXISTS (strncmpi "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCMPI) + CHECK_SYMBOL_EXISTS (strnicmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNICMP) + CHECK_SYMBOL_EXISTS (writev "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_WRITEV) ++CHECK_SYMBOL_EXISTS (arc4random_buf "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_ARC4RANDOM_BUF) ++ + + # On Android, the system headers may define __system_property_get(), but excluded + # from libc. We need to perform a link test instead of a header/symbol test. +diff --git a/configure.ac b/configure.ac +index 1d0fb5ce..9a763696 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -683,6 +683,7 @@ CARES_CHECK_FUNC_STRNCASECMP + CARES_CHECK_FUNC_STRNCMPI + CARES_CHECK_FUNC_STRNICMP + CARES_CHECK_FUNC_WRITEV ++CARES_CHECK_FUNC_ARC4RANDOM_BUF + + + dnl check for AF_INET6 +diff --git a/m4/cares-functions.m4 b/m4/cares-functions.m4 +index 0f3992c7..d4f4f994 100644 +--- a/m4/cares-functions.m4 ++++ b/m4/cares-functions.m4 +@@ -3753,3 +3753,88 @@ AC_DEFUN([CARES_CHECK_FUNC_WRITEV], [ + ac_cv_func_writev="no" + fi + ]) ++ ++dnl CARES_CHECK_FUNC_ARC4RANDOM_BUF ++dnl ------------------------------------------------- ++dnl Verify if arc4random_buf is available, prototyped, and ++dnl can be compiled. If all of these are true, and ++dnl usage has not been previously disallowed with ++dnl shell variable cares_disallow_arc4random_buf, then ++dnl HAVE_ARC4RANDOM_BUF will be defined. ++ ++AC_DEFUN([CARES_CHECK_FUNC_ARC4RANDOM_BUF], [ ++ AC_REQUIRE([CARES_INCLUDES_STDLIB])dnl ++ # ++ tst_links_arc4random_buf="unknown" ++ tst_proto_arc4random_buf="unknown" ++ tst_compi_arc4random_buf="unknown" ++ tst_allow_arc4random_buf="unknown" ++ # ++ AC_MSG_CHECKING([if arc4random_buf can be linked]) ++ AC_LINK_IFELSE([ ++ AC_LANG_FUNC_LINK_TRY([arc4random_buf]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_links_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_links_arc4random_buf="no" ++ ]) ++ # ++ if test "$tst_links_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is prototyped]) ++ AC_EGREP_CPP([arc4random_buf],[ ++ $cares_includes_stdlib ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_proto_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_proto_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_proto_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is compilable]) ++ AC_COMPILE_IFELSE([ ++ AC_LANG_PROGRAM([[ ++ $cares_includes_stdlib ++ ]],[[ ++ arc4random_buf(NULL, 0); ++ return 1; ++ ]]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_compi_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_compi_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_compi_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf usage allowed]) ++ if test "x$cares_disallow_arc4random_buf" != "xyes"; then ++ AC_MSG_RESULT([yes]) ++ tst_allow_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ tst_allow_arc4random_buf="no" ++ fi ++ fi ++ # ++ AC_MSG_CHECKING([if arc4random_buf might be used]) ++ if test "$tst_links_arc4random_buf" = "yes" && ++ test "$tst_proto_arc4random_buf" = "yes" && ++ test "$tst_compi_arc4random_buf" = "yes" && ++ test "$tst_allow_arc4random_buf" = "yes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED(HAVE_ARC4RANDOM_BUF, 1, ++ [Define to 1 if you have the arc4random_buf function.]) ++ ac_cv_func_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ ac_cv_func_arc4random_buf="no" ++ fi ++]) ++ +diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc +index a3b060c2..72a7673c 100644 +--- a/src/lib/Makefile.inc ++++ b/src/lib/Makefile.inc +@@ -45,6 +45,7 @@ CSOURCES = ares__addrinfo2hostent.c \ + ares_platform.c \ + ares_process.c \ + ares_query.c \ ++ ares_rand.c \ + ares_search.c \ + ares_send.c \ + ares_strcasecmp.c \ +diff --git a/src/lib/ares_config.h.cmake b/src/lib/ares_config.h.cmake +index fddb7853..798820a3 100644 +--- a/src/lib/ares_config.h.cmake ++++ b/src/lib/ares_config.h.cmake +@@ -346,6 +346,9 @@ + /* Define to 1 if you need the memory.h header file even with stdlib.h */ + #cmakedefine NEED_MEMORY_H + ++/* Define if have arc4random_buf() */ ++#cmakedefine HAVE_ARC4RANDOM_BUF ++ + /* a suitable file/device to read random data from */ + #cmakedefine CARES_RANDOM_FILE "@CARES_RANDOM_FILE@" + +diff --git a/src/lib/ares_destroy.c b/src/lib/ares_destroy.c +index fed2009a..0447af4c 100644 +--- a/src/lib/ares_destroy.c ++++ b/src/lib/ares_destroy.c +@@ -90,6 +90,9 @@ void ares_destroy(ares_channel channel) + if (channel->resolvconf_path) + ares_free(channel->resolvconf_path); + ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); ++ + ares_free(channel); + } + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index de5d86c9..2607ed6f 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -72,7 +72,6 @@ static int config_nameserver(struct server_state **servers, int *nservers, + static int set_search(ares_channel channel, const char *str); + static int set_options(ares_channel channel, const char *str); + static const char *try_option(const char *p, const char *q, const char *opt); +-static int init_id_key(rc4_key* key,int key_data_len); + + static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str); +@@ -149,6 +148,7 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + channel->sock_funcs = NULL; + channel->sock_func_cb_data = NULL; + channel->resolvconf_path = NULL; ++ channel->rand_state = NULL; + + channel->last_server = 0; + channel->last_timeout_processed = (time_t)now.tv_sec; +@@ -202,9 +202,13 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + /* Generate random key */ + + if (status == ARES_SUCCESS) { +- status = init_id_key(&channel->id_key, ARES_ID_KEY_LEN); ++ channel->rand_state = ares__init_rand_state(); ++ if (channel->rand_state == NULL) { ++ status = ARES_ENOMEM; ++ } ++ + if (status == ARES_SUCCESS) +- channel->next_id = ares__generate_new_id(&channel->id_key); ++ channel->next_id = ares__generate_new_id(channel->rand_state); + else + DEBUGF(fprintf(stderr, "Error: init_id_key failed: %s\n", + ares_strerror(status))); +@@ -224,6 +228,8 @@ done: + ares_free(channel->lookups); + if(channel->resolvconf_path) + ares_free(channel->resolvconf_path); ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); + ares_free(channel); + return status; + } +@@ -2495,76 +2501,6 @@ static int sortlist_alloc(struct apattern **sortlist, int *nsort, + return 1; + } + +-/* initialize an rc4 key. If possible a cryptographically secure random key +- is generated using a suitable function (for example win32's RtlGenRandom as +- described in +- http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx +- otherwise the code defaults to cross-platform albeit less secure mechanism +- using rand +-*/ +-static void randomize_key(unsigned char* key,int key_data_len) +-{ +- int randomized = 0; +- int counter=0; +-#ifdef WIN32 +- BOOLEAN res; +- if (ares_fpSystemFunction036) +- { +- res = (*ares_fpSystemFunction036) (key, key_data_len); +- if (res) +- randomized = 1; +- } +-#else /* !WIN32 */ +-#ifdef CARES_RANDOM_FILE +- FILE *f = fopen(CARES_RANDOM_FILE, "rb"); +- if(f) { +- setvbuf(f, NULL, _IONBF, 0); +- counter = aresx_uztosi(fread(key, 1, key_data_len, f)); +- fclose(f); +- } +-#endif +-#endif /* WIN32 */ +- +- if (!randomized) { +- for (;counter<key_data_len;counter++) +- key[counter]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ +- } +-} +- +-static int init_id_key(rc4_key* key,int key_data_len) +-{ +- unsigned char index1; +- unsigned char index2; +- unsigned char* state; +- short counter; +- unsigned char *key_data_ptr = 0; +- +- key_data_ptr = ares_malloc(key_data_len); +- if (!key_data_ptr) +- return ARES_ENOMEM; +- memset(key_data_ptr, 0, key_data_len); +- +- state = &key->state[0]; +- for(counter = 0; counter < 256; counter++) +- /* unnecessary AND but it keeps some compilers happier */ +- state[counter] = (unsigned char)(counter & 0xff); +- randomize_key(key->state,key_data_len); +- key->x = 0; +- key->y = 0; +- index1 = 0; +- index2 = 0; +- for(counter = 0; counter < 256; counter++) +- { +- index2 = (unsigned char)((key_data_ptr[index1] + state[counter] + +- index2) % 256); +- ARES_SWAP_BYTE(&state[counter], &state[index2]); +- +- index1 = (unsigned char)((index1 + 1) % key_data_len); +- } +- ares_free(key_data_ptr); +- return ARES_SUCCESS; +-} +- + void ares_set_local_ip4(ares_channel channel, unsigned int local_ip) + { + channel->local_ip4 = local_ip; +diff --git a/src/lib/ares_private.h b/src/lib/ares_private.h +index 60d69e08..518b5c33 100644 +--- a/src/lib/ares_private.h ++++ b/src/lib/ares_private.h +@@ -101,8 +101,6 @@ W32_FUNC const char *_w32_GetHostsFile (void); + + #endif + +-#define ARES_ID_KEY_LEN 31 +- + #include "ares_ipv6.h" + #include "ares_llist.h" + +@@ -262,12 +260,8 @@ struct apattern { + unsigned short type; + }; + +-typedef struct rc4_key +-{ +- unsigned char state[256]; +- unsigned char x; +- unsigned char y; +-} rc4_key; ++struct ares_rand_state; ++typedef struct ares_rand_state ares_rand_state; + + struct ares_channeldata { + /* Configuration data */ +@@ -302,8 +296,8 @@ struct ares_channeldata { + + /* ID to use for next query */ + unsigned short next_id; +- /* key to use when generating new ids */ +- rc4_key id_key; ++ /* random state to use when generating new ids */ ++ ares_rand_state *rand_state; + + /* Generation number to use for the next TCP socket open/close */ + int tcp_connection_generation; +@@ -359,7 +353,10 @@ void ares__close_sockets(ares_channel channel, struct server_state *server); + int ares__get_hostent(FILE *fp, int family, struct hostent **host); + int ares__read_line(FILE *fp, char **buf, size_t *bufsize); + void ares__free_query(struct query *query); +-unsigned short ares__generate_new_id(rc4_key* key); ++ ++ares_rand_state *ares__init_rand_state(void); ++void ares__destroy_rand_state(ares_rand_state *state); ++unsigned short ares__generate_new_id(ares_rand_state *state); + struct timeval ares__tvnow(void); + int ares__expand_name_validated(const unsigned char *encoded, + const unsigned char *abuf, +diff --git a/src/lib/ares_query.c b/src/lib/ares_query.c +index 508274db..42323bec 100644 +--- a/src/lib/ares_query.c ++++ b/src/lib/ares_query.c +@@ -33,32 +33,6 @@ struct qquery { + + static void qcallback(void *arg, int status, int timeouts, unsigned char *abuf, int alen); + +-static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len) +-{ +- unsigned char x; +- unsigned char y; +- unsigned char* state; +- unsigned char xorIndex; +- int counter; +- +- x = key->x; +- y = key->y; +- +- state = &key->state[0]; +- for(counter = 0; counter < buffer_len; counter ++) +- { +- x = (unsigned char)((x + 1) % 256); +- y = (unsigned char)((state[x] + y) % 256); +- ARES_SWAP_BYTE(&state[x], &state[y]); +- +- xorIndex = (unsigned char)((state[x] + state[y]) % 256); +- +- buffer_ptr[counter] = (unsigned char)(buffer_ptr[counter]^state[xorIndex]); +- } +- key->x = x; +- key->y = y; +-} +- + static struct query* find_query_by_id(ares_channel channel, unsigned short id) + { + unsigned short qid; +@@ -78,7 +52,6 @@ static struct query* find_query_by_id(ares_channel channel, unsigned short id) + return NULL; + } + +- + /* a unique query id is generated using an rc4 key. Since the id may already + be used by a running query (as infrequent as it may be), a lookup is + performed per id generation. In practice this search should happen only +@@ -89,19 +62,12 @@ static unsigned short generate_unique_id(ares_channel channel) + unsigned short id; + + do { +- id = ares__generate_new_id(&channel->id_key); ++ id = ares__generate_new_id(channel->rand_state); + } while (find_query_by_id(channel, id)); + + return (unsigned short)id; + } + +-unsigned short ares__generate_new_id(rc4_key* key) +-{ +- unsigned short r=0; +- rc4(key, (unsigned char *)&r, sizeof(r)); +- return r; +-} +- + void ares_query(ares_channel channel, const char *name, int dnsclass, + int type, ares_callback callback, void *arg) + { +diff --git a/src/lib/ares_rand.c b/src/lib/ares_rand.c +new file mode 100644 +index 00000000..a564bc23 +--- /dev/null ++++ b/src/lib/ares_rand.c +@@ -0,0 +1,274 @@ ++/* Copyright 1998 by the Massachusetts Institute of Technology. ++ * Copyright (C) 2007-2013 by Daniel Stenberg ++ * ++ * Permission to use, copy, modify, and distribute this ++ * software and its documentation for any purpose and without ++ * fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright ++ * notice and this permission notice appear in supporting ++ * documentation, and that the name of M.I.T. not be used in ++ * advertising or publicity pertaining to distribution of the ++ * software without specific, written prior permission. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" ++ * without express or implied warranty. ++ */ ++ ++#include "ares_setup.h" ++#include "ares.h" ++#include "ares_private.h" ++#include "ares_nowarn.h" ++#include <stdlib.h> ++ ++typedef enum { ++ ARES_RAND_OS = 1, /* OS-provided such as RtlGenRandom or arc4random */ ++ ARES_RAND_FILE = 2, /* OS file-backed random number generator */ ++ ARES_RAND_RC4 = 3 /* Internal RC4 based PRNG */ ++} ares_rand_backend; ++ ++typedef struct ares_rand_rc4 ++{ ++ unsigned char S[256]; ++ size_t i; ++ size_t j; ++} ares_rand_rc4; ++ ++struct ares_rand_state ++{ ++ ares_rand_backend type; ++ union { ++ FILE *rand_file; ++ ares_rand_rc4 rc4; ++ } state; ++}; ++ ++ ++/* Define RtlGenRandom = SystemFunction036. This is in advapi32.dll. There is ++ * no need to dynamically load this, other software used widely does not. ++ * http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx ++ * https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom ++ */ ++#ifdef _WIN32 ++BOOLEAN WINAPI SystemFunction036(PVOID RandomBuffer, ULONG RandomBufferLength); ++# ifndef RtlGenRandom ++# define RtlGenRandom(a,b) SystemFunction036(a,b) ++# endif ++#endif ++ ++ ++#define ARES_RC4_KEY_LEN 32 /* 256 bits */ ++ ++static unsigned int ares_u32_from_ptr(void *addr) ++{ ++ if (sizeof(void *) == 8) { ++ return (unsigned int)((((size_t)addr >> 32) & 0xFFFFFFFF) | ((size_t)addr & 0xFFFFFFFF)); ++ } ++ return (unsigned int)((size_t)addr & 0xFFFFFFFF); ++} ++ ++ ++/* initialize an rc4 key as the last possible fallback. */ ++static void ares_rc4_generate_key(ares_rand_rc4 *rc4_state, unsigned char *key, size_t key_len) ++{ ++ size_t i; ++ size_t len = 0; ++ unsigned int data; ++ struct timeval tv; ++ ++ if (key_len != ARES_RC4_KEY_LEN) ++ return; ++ ++ /* Randomness is hard to come by. Maybe the system randomizes heap and stack addresses. ++ * Maybe the current timestamp give us some randomness. ++ * Use rc4_state (heap), &i (stack), and ares__tvnow() ++ */ ++ data = ares_u32_from_ptr(rc4_state); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ data = ares_u32_from_ptr(&i); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ tv = ares__tvnow(); ++ data = (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ srand(ares_u32_from_ptr(rc4_state) | ares_u32_from_ptr(&i) | (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF)); ++ ++ for (i=len; i<key_len; i++) { ++ key[i]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ ++ } ++} ++ ++ ++static void ares_rc4_init(ares_rand_rc4 *rc4_state) ++{ ++ unsigned char key[ARES_RC4_KEY_LEN]; ++ size_t i; ++ size_t j; ++ ++ ares_rc4_generate_key(rc4_state, key, sizeof(key)); ++ ++ for (i = 0; i < sizeof(rc4_state->S); i++) { ++ rc4_state->S[i] = i & 0xFF; ++ } ++ ++ for(i = 0, j = 0; i < 256; i++) { ++ j = (j + rc4_state->S[i] + key[i % sizeof(key)]) % 256; ++ ARES_SWAP_BYTE(&rc4_state->S[i], &rc4_state->S[j]); ++ } ++ ++ rc4_state->i = 0; ++ rc4_state->j = 0; ++} ++ ++/* Just outputs the key schedule, no need to XOR with any data since we have none */ ++static void ares_rc4_prng(ares_rand_rc4 *rc4_state, unsigned char *buf, int len) ++{ ++ unsigned char *S = rc4_state->S; ++ size_t i = rc4_state->i; ++ size_t j = rc4_state->j; ++ size_t cnt; ++ ++ for (cnt=0; cnt<len; cnt++) { ++ i = (i + 1) % 256; ++ j = (j + S[i]) % 256; ++ ++ ARES_SWAP_BYTE(&S[i], &S[j]); ++ buf[cnt] = S[(S[i] + S[j]) % 256]; ++ } ++ ++ rc4_state->i = i; ++ rc4_state->j = j; ++} ++ ++ ++static int ares__init_rand_engine(ares_rand_state *state) ++{ ++ memset(state, 0, sizeof(*state)); ++ ++#if defined(HAVE_ARC4RANDOM_BUF) || defined(_WIN32) ++ state->type = ARES_RAND_OS; ++ return 1; ++#elif defined(CARES_RANDOM_FILE) ++ state->type = ARES_RAND_FILE; ++ state->state.rand_file = fopen(CARES_RANDOM_FILE, "rb"); ++ if (state->state.rand_file) { ++ setvbuf(state->state.rand_file, NULL, _IONBF, 0); ++ return 1; ++ } ++ /* Fall-Thru on failure to RC4 */ ++#endif ++ ++ state->type = ARES_RAND_RC4; ++ ares_rc4_init(&state->state.rc4); ++ ++ /* Currently cannot fail */ ++ return 1; ++} ++ ++ ++ares_rand_state *ares__init_rand_state() ++{ ++ ares_rand_state *state = NULL; ++ ++ state = ares_malloc(sizeof(*state)); ++ if (!state) ++ return NULL; ++ ++ if (!ares__init_rand_engine(state)) { ++ ares_free(state); ++ return NULL; ++ } ++ ++ return state; ++} ++ ++ ++static void ares__clear_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++ break; ++ case ARES_RAND_FILE: ++ fclose(state->state.rand_file); ++ break; ++ case ARES_RAND_RC4: ++ break; ++ } ++} ++ ++ ++static void ares__reinit_rand(ares_rand_state *state) ++{ ++ ares__clear_rand_state(state); ++ ares__init_rand_engine(state); ++} ++ ++ ++void ares__destroy_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ ares__clear_rand_state(state); ++ ares_free(state); ++} ++ ++ ++static void ares__rand_bytes(ares_rand_state *state, unsigned char *buf, size_t len) ++{ ++ ++ while (1) { ++ size_t rv; ++ size_t bytes_read = 0; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++#ifdef _WIN32 ++ RtlGenRandom(buf, len); ++ return; ++#elif defined(HAVE_ARC4RANDOM_BUF) ++ arc4random_buf(buf, len); ++ return; ++#else ++ /* Shouldn't be possible to be here */ ++ break; ++#endif ++ ++ case ARES_RAND_FILE: ++ while (1) { ++ size_t rv = fread(buf + bytes_read, 1, len - bytes_read, state->state.rand_file); ++ if (rv == 0) ++ break; /* critical error, will reinit rand state */ ++ ++ bytes_read += rv; ++ if (bytes_read == len) ++ return; ++ } ++ break; ++ ++ case ARES_RAND_RC4: ++ ares_rc4_prng(&state->state.rc4, buf, len); ++ return; ++ } ++ ++ /* If we didn't return before we got here, that means we had a critical rand ++ * failure and need to reinitialized */ ++ ares__reinit_rand(state); ++ } ++} ++ ++unsigned short ares__generate_new_id(ares_rand_state *state) ++{ ++ unsigned short r=0; ++ ++ ares__rand_bytes(state, (unsigned char *)&r, sizeof(r)); ++ return r; ++} ++ +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch new file mode 100644 index 0000000000..63192d3c81 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch @@ -0,0 +1,84 @@ +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:49 -0400 +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc + +Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae] +CVE: CVE-2023-32067 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_process.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c +index bf0cde464..6cac0a99f 100644 +--- a/src/lib/ares_process.c ++++ b/src/lib/ares_process.c +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + { + struct server_state *server; + int i; +- ares_ssize_t count; ++ ares_ssize_t read_len; + unsigned char buf[MAXENDSSZ + 1]; + #ifdef HAVE_RECVFROM + ares_socklen_t fromlen; +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + /* To reduce event loop overhead, read and process as many + * packets as we can. */ + do { +- if (server->udp_socket == ARES_SOCKET_BAD) +- count = 0; +- +- else { +- if (server->addr.family == AF_INET) ++ if (server->udp_socket == ARES_SOCKET_BAD) { ++ read_len = -1; ++ } else { ++ if (server->addr.family == AF_INET) { + fromlen = sizeof(from.sa4); +- else ++ } else { + fromlen = sizeof(from.sa6); +- count = socket_recvfrom(channel, server->udp_socket, (void *)buf, +- sizeof(buf), 0, &from.sa, &fromlen); ++ } ++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf, ++ sizeof(buf), 0, &from.sa, &fromlen); + } + +- if (count == -1 && try_again(SOCKERRNO)) ++ if (read_len == 0) { ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP ++ * packet, and not an indication the connection is closed like on ++ * tcp */ + continue; +- else if (count <= 0) ++ } else if (read_len < 0) { ++ if (try_again(SOCKERRNO)) ++ continue; ++ + handle_error(channel, i, now); ++ + #ifdef HAVE_RECVFROM +- else if (!same_address(&from.sa, &server->addr)) ++ } else if (!same_address(&from.sa, &server->addr)) { + /* The address the response comes from does not match the address we + * sent the request to. Someone may be attempting to perform a cache + * poisoning attack. */ +- break; ++ continue; + #endif +- else +- process_answer(channel, buf, (int)count, i, 0, now); +- } while (count > 0); ++ ++ } else { ++ process_answer(channel, buf, (int)read_len, i, 0, now); ++ } ++ } while (read_len >= 0); + } + } + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch new file mode 100644 index 0000000000..2887634289 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch @@ -0,0 +1,32 @@ +From: a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 11 Mar 2024 14:29:39 +0000 +Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q + +CVE: CVE-2024-25629 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183] +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/lib/ares__read_line.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c +index c62ad2a..d6625a3 100644 +--- a/src/lib/ares__read_line.c ++++ b/src/lib/ares__read_line.c +@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize) + if (!fgets(*buf + offset, bytestoread, fp)) + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; + len = offset + strlen(*buf + offset); ++ ++ /* Probably means there was an embedded NULL as the first character in ++ * the line, throw away line */ ++ if (len == 0) { ++ offset = 0; ++ continue; ++ } ++ + if ((*buf)[len - 1] == '\n') + { + (*buf)[len - 1] = 0; +-- diff --git a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch b/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch deleted file mode 100644 index 0eb7e4bbb3..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 12414304245cce6ef0e8b9547949be5109845353 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Tue, 24 Jul 2018 13:33:33 +0800 -Subject: [PATCH] cmake: Install libcares.pc - -Prepare and install libcares.pc file during cmake build, so libraries -using pkg-config to find libcares will not fail. - -Signed-off-by: Alexey Firago <alexey_firago@mentor.com> - -update to 1.14.0, fix patch warning - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - CMakeLists.txt | 28 +++++++++++++++++++++++----- - 1 file changed, 23 insertions(+), 5 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fd123e1..3a5878d 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -214,22 +214,25 @@ ADD_DEFINITIONS(${SYSFLAGS}) - - - # Tell C-Ares about libraries to depend on -+# Also pass these libraries to pkg-config file -+SET(CARES_PRIVATE_LIBS_LIST) - IF (HAVE_LIBRESOLV) -- LIST (APPEND CARES_DEPENDENT_LIBS resolv) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lresolv") - ENDIF () - IF (HAVE_LIBNSL) -- LIST (APPEND CARES_DEPENDENT_LIBS nsl) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lnsl") - ENDIF () - IF (HAVE_LIBSOCKET) -- LIST (APPEND CARES_DEPENDENT_LIBS socket) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lsocket") - ENDIF () - IF (HAVE_LIBRT) -- LIST (APPEND CARES_DEPENDENT_LIBS rt) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lrt") - ENDIF () - IF (WIN32) -- LIST (APPEND CARES_DEPENDENT_LIBS ws2_32 Advapi32) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lws2_32") - ENDIF () - -+string (REPLACE ";" " " CARES_PRIVATE_LIBS "${CARES_PRIVATE_LIBS_LIST}") - - # When checking for symbols, we need to make sure we set the proper - # headers, libraries, and definitions for the detection to work properly -@@ -554,6 +557,15 @@ CONFIGURE_FILE (ares_build.h.cmake ${PROJECT_BINARY_DIR}/ares_build.h) - # Write ares_config.h configuration file. This is used only for the build. - CONFIGURE_FILE (ares_config.h.cmake ${PROJECT_BINARY_DIR}/ares_config.h) - -+# Pass required CFLAGS to pkg-config in case of static library -+IF (CARES_STATIC) -+ SET (CPPFLAG_CARES_STATICLIB "-DCARES_STATICLIB") -+ENDIF() -+ -+# Write ares_config.h configuration file. This is used only for the build. -+CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+ -+ - - # TRANSFORM_MAKEFILE_INC - # -@@ -728,6 +740,12 @@ IF (CARES_INSTALL) - INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" COMPONENT Devel DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") - ENDIF () - -+# pkg-config file -+IF (CARES_INSTALL) -+ SET (PKGCONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/pkgconfig") -+ INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" DESTINATION ${PKGCONFIG_INSTALL_DIR}) -+ENDIF () -+ - # Legacy chain-building variables (provided for compatibility with old code). - # Don't use these, external code should be updated to refer to the aliases directly (e.g., Cares::cares). - SET (CARES_FOUND 1 CACHE INTERNAL "CARES LIBRARY FOUND") --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.0.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.0.bb deleted file mode 100644 index e235b9b954..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares_1.16.0.bb +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright (c) 2012-2014 LG Electronics, Inc. -SUMMARY = "c-ares is a C library that resolves names asynchronously." -HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" -SECTION = "libs" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" - -PV = "1.16.0+gitr${SRCPV}" - -SRC_URI = "\ - git://github.com/c-ares/c-ares.git \ - file://cmake-install-libcares.pc.patch \ - file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \ -" -SRCREV = "077a587dccbe2f0d8a1987fbd3525333705c2249" - -UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" - -S = "${WORKDIR}/git" - -inherit cmake pkgconfig - -PACKAGES =+ "${PN}-utils" - -FILES_${PN}-utils = "${bindir}" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb new file mode 100644 index 0000000000..b5936e1ad0 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb @@ -0,0 +1,31 @@ +# Copyright (c) 2012-2014 LG Electronics, Inc. +SUMMARY = "c-ares is a C library that resolves names asynchronously." +HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" +SECTION = "libs" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" + +SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ + file://CVE-2022-4904.patch \ + file://CVE-2023-31130.patch \ + file://CVE-2023-31147.patch \ + file://CVE-2023-32067.patch \ + file://CVE-2024-25629.patch \ + " +SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" + +UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig + +PACKAGES =+ "${PN}-utils" + +FILES_${PN}-utils = "${bindir}" + +BBCLASSEXTEND = "native nativesdk" + +# this vulneribility applies only when cross-compiling using autotools +# yocto cross-compiles via cmake which is also listed as official workaround +CVE_CHECK_WHITELIST += "CVE-2023-31124" diff --git a/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb b/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb index ac463038aa..e0e50366d4 100644 --- a/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb +++ b/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb @@ -6,13 +6,21 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=35e00f0c4c96a0820a03e0b31e6416be" DEPENDS = "libeigen glog" -SRC_URI = "git://github.com/ceres-solver/ceres-solver.git" +SRC_URI = "git://github.com/ceres-solver/ceres-solver.git;branch=master;protocol=https" SRCREV = "facb199f3eda902360f9e1d5271372b7e54febe1" S = "${WORKDIR}/git" inherit cmake +do_configure_prepend() { + # otherwise https://github.com/ceres-solver/ceres-solver/blob/0b748597889f460764f6c980a00c6f502caa3875/cmake/AddGerritCommitHook.cmake#L68 + # will try to fetch https://ceres-solver-review.googlesource.com/tools/hooks/commit-msg durind do_configure + # which sometimes gets stuck (as there is no TIMEOUT set in DOWNLOAD) + # and we really don't need Gerrit's Change-Id tags when just building this + touch ${S}/.git/hooks/commit-msg +} + # We don't want path to eigen3 in ceres-solver RSS to be # used by components which use CeresConfig.cmake from their # own RSS diff --git a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb index dd129cbec9..a49eab72fd 100644 --- a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb +++ b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b73927b18d5c6cd8d2ed28a6ad539733" SRCREV = "13becaddb657eacd090537719a669d66d393b8b2" PV .= "+git${SRCPV}" -SRC_URI += "gitsm://github.com/CLIUtils/CLI11 \ +SRC_URI += "gitsm://github.com/CLIUtils/CLI11;branch=main;protocol=https \ file://0001-Add-CLANG_TIDY-check.patch \ file://0001-Use-GNUInstallDirs-instead-of-hard-coded-path.patch \ " diff --git a/meta-oe/recipes-support/cmark/cmark_git.bb b/meta-oe/recipes-support/cmark/cmark_git.bb index f74a39b500..4f07beb317 100644 --- a/meta-oe/recipes-support/cmark/cmark_git.bb +++ b/meta-oe/recipes-support/cmark/cmark_git.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/commonmark/cmark" LICENSE = "BSD-2-Clause & MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=81f9cae6293cc0345a9144b78152ab62" -SRC_URI = "git://github.com/commonmark/cmark.git" +SRC_URI = "git://github.com/commonmark/cmark.git;branch=master;protocol=https" SRCREV = "8daa6b1495124f0b67e6034130e12d7be83e38bd" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/daemonize/daemonize_git.bb b/meta-oe/recipes-support/daemonize/daemonize_git.bb index c76632781a..f46dec59fc 100644 --- a/meta-oe/recipes-support/daemonize/daemonize_git.bb +++ b/meta-oe/recipes-support/daemonize/daemonize_git.bb @@ -7,7 +7,7 @@ PV = "1.7.8" inherit autotools SRCREV = "18869a797dab12bf1c917ba3b4782fef484c407c" -SRC_URI = "git://github.com/bmc/daemonize.git \ +SRC_URI = "git://github.com/bmc/daemonize.git;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb b/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb index 9fcc278d35..cac2b4fd61 100644 --- a/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb +++ b/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb @@ -4,7 +4,7 @@ DEPENDS = "libusb1" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=44fee82a1d2ed0676cf35478283e0aa0" -SRC_URI = "git://github.com/bcl/digitemp" +SRC_URI = "git://github.com/bcl/digitemp;branch=master;protocol=https" SRCREV = "a162e63aad35358aab325388f3d5e88121606419" diff --git a/meta-oe/recipes-support/dstat/dstat_0.7.4.bb b/meta-oe/recipes-support/dstat/dstat_0.7.4.bb index 74af54ca53..18c3cdf82c 100644 --- a/meta-oe/recipes-support/dstat/dstat_0.7.4.bb +++ b/meta-oe/recipes-support/dstat/dstat_0.7.4.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "asciidoc-native xmlto-native" -SRC_URI = "git://github.com/dagwieers/dstat.git \ +SRC_URI = "git://github.com/dagwieers/dstat.git;branch=master;protocol=https \ file://0001-change-dstat-to-python3.patch \ " @@ -21,4 +21,4 @@ do_install() { oe_runmake 'DESTDIR=${D}' install } -RDEPENDS_${PN} += "python3-core python3-misc python3-resource python3-shell python3-unixadmin" +RDEPENDS_${PN} += "python3-core python3-misc python3-resource python3-shell python3-six python3-unixadmin" diff --git a/meta-oe/recipes-support/epeg/epeg_git.bb b/meta-oe/recipes-support/epeg/epeg_git.bb index 8ca574014b..bdffe4ba78 100644 --- a/meta-oe/recipes-support/epeg/epeg_git.bb +++ b/meta-oe/recipes-support/epeg/epeg_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e7732a9290ea1e4b034fdc15cf49968d \ file://COPYING-PLAIN;md5=f59cacc08235a546b0c34a5422133035" DEPENDS = "jpeg libexif" -SRC_URI = "git://github.com/mattes/epeg.git" +SRC_URI = "git://github.com/mattes/epeg.git;branch=master;protocol=https" SRCREV = "9a175cd67eaa61fe45413d8da82da72936567047" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch new file mode 100644 index 0000000000..e5d069487c --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch @@ -0,0 +1,26 @@ +From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 +From: Pydera <pydera@mailbox.org> +Date: Thu, 8 Apr 2021 17:36:16 +0200 +Subject: [PATCH] Fix out of buffer access in #1529 + +--- + src/jp2image.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 88ab9b2d6..12025f966 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m) + #endif + box.length = (uint32_t) (io_->size() - io_->tell() + 8); + } +- if (box.length == 1) ++ if (box.length < 8) + { +- // FIXME. Special case. the real box size is given in another place. ++ // box is broken, so there is nothing we can do here ++ throw Error(kerCorruptedMetadata); + } + + // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch new file mode 100644 index 0000000000..285f6fe4ce --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch @@ -0,0 +1,37 @@ +From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Fri, 9 Apr 2021 13:37:48 +0100 +Subject: [PATCH] Fix integer overflow. +--- + src/crwimage_int.cpp | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index aefaf22..2e3e507 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -559,7 +559,7 @@ namespace Exiv2 { + void CiffComponent::setValue(DataBuf buf) + { + if (isAllocated_) { +- delete pData_; ++ delete[] pData_; + pData_ = 0; + size_ = 0; + } +@@ -1167,7 +1167,11 @@ namespace Exiv2 { + pCrwMapping->crwDir_); + if (edX != edEnd || edY != edEnd || edO != edEnd) { + uint32_t size = 28; +- if (cc && cc->size() > size) size = cc->size(); ++ if (cc) { ++ if (cc->size() < size) ++ throw Error(kerCorruptedMetadata); ++ size = cc->size(); ++ } + DataBuf buf(size); + std::memset(buf.pData_, 0x0, buf.size_); + if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch new file mode 100644 index 0000000000..5ab64a7d3e --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch @@ -0,0 +1,120 @@ +From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Mon, 19 Apr 2021 18:06:00 +0100 +Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata() + +--- + src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +diff --git a/src/webpimage.cpp b/src/webpimage.cpp +index 4ddec544c..fee110bca 100644 +--- a/src/webpimage.cpp ++++ b/src/webpimage.cpp +@@ -145,7 +145,7 @@ namespace Exiv2 { + DataBuf chunkId(WEBP_TAG_SIZE+1); + chunkId.pData_ [WEBP_TAG_SIZE] = '\0'; + +- io_->read(data, WEBP_TAG_SIZE * 3); ++ readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata); + uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian); + + /* Set up header */ +@@ -185,13 +185,20 @@ namespace Exiv2 { + case we have any exif or xmp data, also check + for any chunks with alpha frame/layer set */ + while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { +- io_->read(chunkId.pData_, WEBP_TAG_SIZE); +- io_->read(size_buff, WEBP_TAG_SIZE); +- long size = Exiv2::getULong(size_buff, littleEndian); ++ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); ++ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); ++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); ++ ++ // Check that `size_u32` is safe to cast to `long`. ++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), ++ Exiv2::kerCorruptedMetadata); ++ const long size = static_cast<long>(size_u32); + DataBuf payload(size); +- io_->read(payload.pData_, payload.size_); +- byte c; +- if ( payload.size_ % 2 ) io_->read(&c,1); ++ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata); ++ if ( payload.size_ % 2 ) { ++ byte c; ++ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata); ++ } + + /* Chunk with information about features + used in the file. */ +@@ -199,6 +206,7 @@ namespace Exiv2 { + has_vp8x = true; + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) { ++ enforce(size >= 10, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[WEBP_TAG_SIZE]; + +@@ -227,6 +235,7 @@ namespace Exiv2 { + } + #endif + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) { ++ enforce(size >= 10, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[2]; + +@@ -244,11 +253,13 @@ namespace Exiv2 { + + /* Chunk with with lossless image data. */ + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) { ++ enforce(size >= 5, Exiv2::kerCorruptedMetadata); + if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) { + has_alpha = true; + } + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) { ++ enforce(size >= 5, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf_w[2]; + byte size_buf_h[3]; +@@ -276,11 +287,13 @@ namespace Exiv2 { + + /* Chunk with animation frame. */ + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) { ++ enforce(size >= 6, Exiv2::kerCorruptedMetadata); + if ((payload.pData_[5] & 0x2) == 0x2) { + has_alpha = true; + } + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) { ++ enforce(size >= 12, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[WEBP_TAG_SIZE]; + +@@ -309,16 +322,22 @@ namespace Exiv2 { + + io_->seek(12, BasicIo::beg); + while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { +- io_->read(chunkId.pData_, 4); +- io_->read(size_buff, 4); ++ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata); ++ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata); ++ ++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); + +- long size = Exiv2::getULong(size_buff, littleEndian); ++ // Check that `size_u32` is safe to cast to `long`. ++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), ++ Exiv2::kerCorruptedMetadata); ++ const long size = static_cast<long>(size_u32); + + DataBuf payload(size); +- io_->read(payload.pData_, size); ++ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata); + if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad + + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) { ++ enforce(size >= 1, Exiv2::kerCorruptedMetadata); + if (has_icc){ + payload.pData_[0] |= WEBP_VP8X_ICC_BIT; + } else { diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch new file mode 100644 index 0000000000..f0c482450c --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch @@ -0,0 +1,72 @@ +From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001 +From: Wang Mingyu <wangmy@fujitsu.com> +Date: Tue, 18 May 2021 10:52:54 +0900 +Subject: [PATCH] modify + +Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> +--- + src/jp2image.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 52723a4..0ac4f50 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m) + void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf) + { + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space +- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? +- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? ++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; +- int32_t length = getLong((byte*)&pBox->length, bigEndian); +- int32_t count = sizeof (Jp2BoxHeader); ++ uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m) + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl; + #endif ++ enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata); + count += subBox.length; + newBox.type = subBox.type; + } else { +@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m) + count = length; + } + +- int32_t newlen = subBox.length; ++ uint32_t newlen = subBox.length; + if ( newBox.type == kJp2BoxTypeColorHeader ) { + bWroteColor = true ; + if ( ! iccProfileDefined() ) { + const char* pad = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid"; + uint32_t psize = 15; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize ,bigEndian); + ul2Data((byte*)&newBox.type ,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox)); +@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m) + } else { + const char* pad = "\0x02\x00\x00"; + uint32_t psize = 3; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian); + ul2Data((byte*)&newBox.type,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) ); +@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m) + newlen = psize + iccProfile_.size_; + } + } else { ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length); + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch new file mode 100644 index 0000000000..eedf9d79aa --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch @@ -0,0 +1,32 @@ +From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Wed, 21 Apr 2021 12:06:04 +0100 +Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header +--- + src/jp2image.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b424225..349a9f0 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m) + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space + long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? + long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; + uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + + while ( count < length || !bWroteColor ) { ++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch new file mode 100644 index 0000000000..4afedf8e59 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch @@ -0,0 +1,21 @@ +From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Fri, 23 Apr 2021 11:44:44 +0100 +Subject: [PATCH] Add bounds check in Jp2Image::doWriteMetadata(). + +--- + src/jp2image.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 1694fed27..ca8c9ddbb 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m) + + case kJp2BoxTypeUuid: + { ++ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata); + if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0) + { + #ifdef EXIV2_DEBUG_MESSAGES diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch new file mode 100644 index 0000000000..e7c5e1b656 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch @@ -0,0 +1,54 @@ +From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 +From: Robin Mills <robin@clanmills.com> +Date: Mon, 5 Apr 2021 20:33:25 +0100 +Subject: [PATCH] fix_1522_jp2image_exif_asan + +--- + src/jp2image.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index eb31cea4a..88ab9b2d6 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -28,6 +28,7 @@ + #include "image.hpp" + #include "image_int.hpp" + #include "basicio.hpp" ++#include "enforce.hpp" + #include "error.hpp" + #include "futils.hpp" + #include "types.hpp" +@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m) + if (io_->error()) throw Error(kerFailedToReadImageData); + if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed); + +- if (rawData.size_ > 0) ++ if (rawData.size_ > 8) // "II*\0long" + { + // Find the position of Exif header in bytes array. + long pos = ( (rawData.pData_[0] == rawData.pData_[1]) +@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m) + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); ++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); + + if (bPrint) { + out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)), +@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m) + throw Error(kerInputDataReadFailed); + + if (bPrint) { +- out << Internal::binaryToString(makeSlice(rawData, 0, 40)); ++ out << Internal::binaryToString( ++ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_)); + out.flush(); + } + lf(out, bLF); + +- if (bIsExif && bRecursive && rawData.size_ > 0) { ++ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long" + if ((rawData.pData_[0] == rawData.pData_[1]) && + (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) { + BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_)); diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index ed1e8de5c2..d5d9e62ff2 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -9,7 +9,14 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994 # Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either inherit dos2unix -SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch" +SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \ + file://CVE-2021-29457.patch \ + file://CVE-2021-29458.patch \ + file://CVE-2021-29463.patch \ + file://CVE-2021-29464.patch \ + file://CVE-2021-29470.patch \ + file://CVE-2021-29473.patch \ + file://CVE-2021-3482.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" diff --git a/meta-oe/recipes-support/fmt/fmt_6.2.0.bb b/meta-oe/recipes-support/fmt/fmt_6.2.0.bb index 05dc94a990..1a05f0d547 100644 --- a/meta-oe/recipes-support/fmt/fmt_6.2.0.bb +++ b/meta-oe/recipes-support/fmt/fmt_6.2.0.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://fmt.dev" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=af88d758f75f3c5c48a967501f24384b" -SRC_URI += "git://github.com/fmtlib/fmt" +SRC_URI += "git://github.com/fmtlib/fmt;branch=master;protocol=https" SRCREV = "9bdd1596cef1b57b9556f8bef32dc4a32322ef3e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_git.bb index 7cafbb7993..309acfbffc 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_git.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_git.bb @@ -16,7 +16,7 @@ PKGV = "${GITPKGVTAG}" # 2.0.0 release SRCREV = "5ab2bed8749747b8e4b2ed431fd102bc726be684" -SRC_URI = "git://github.com/FreeRDP/FreeRDP.git \ +SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ file://winpr-makecert-Build-with-install-RPATH.patch \ " @@ -40,7 +40,7 @@ PACKAGECONFIG ??= " \ X11_DEPS = "virtual/libx11 libxinerama libxext libxcursor libxv libxi libxrender libxfixes libxdamage libxrandr libxkbfile" PACKAGECONFIG[x11] = "-DWITH_X11=ON -DWITH_XINERAMA=ON -DWITH_XEXT=ON -DWITH_XCURSOR=ON -DWITH_XV=ON -DWITH_XI=ON -DWITH_XRENDER=ON -DWITH_XFIXES=ON -DWITH_XDAMAGE=ON -DWITH_XRANDR=ON -DWITH_XKBFILE=ON,-DWITH_X11=OFF,${X11_DEPS}" -PACKAGECONFIG[wayland] = "-DWITH_WAYLAND=ON,-DWITH_WAYLAND=OFF,wayland wayland-native" +PACKAGECONFIG[wayland] = "-DWITH_WAYLAND=ON,-DWITH_WAYLAND=OFF,wayland wayland-native libxkbcommon" PACKAGECONFIG[directfb] = "-DWITH_DIRECTFB=ON,-DWITH_DIRECTFB=OFF,directfb" PACKAGECONFIG[pam] = "-DWITH_PAM=ON,-DWITH_PAM=OFF,libpam" PACKAGECONFIG[pulseaudio] = "-DWITH_PULSEAUDIO=ON,-DWITH_PULSEAUDIO=OFF,pulseaudio" diff --git a/meta-oe/recipes-support/function2/function2_4.0.0.bb b/meta-oe/recipes-support/function2/function2_4.0.0.bb index 556a25aa14..07aa669375 100644 --- a/meta-oe/recipes-support/function2/function2_4.0.0.bb +++ b/meta-oe/recipes-support/function2/function2_4.0.0.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c" SRCREV = "d2acdb6c3c7612a6133cd03464ef941161258f4e" PV .= "+git${SRCPV}" -SRC_URI += "gitsm://github.com/Naios/function2" +SRC_URI += "gitsm://github.com/Naios/function2;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/gd/gd_2.3.0.bb b/meta-oe/recipes-support/gd/gd_2.3.0.bb index eec8a05ae8..8adb7db4d1 100644 --- a/meta-oe/recipes-support/gd/gd_2.3.0.bb +++ b/meta-oe/recipes-support/gd/gd_2.3.0.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8e5bc8627b9494741c905d65238c66b7" DEPENDS = "freetype libpng jpeg zlib tiff" -SRC_URI = "git://github.com/libgd/libgd.git;branch=master \ +SRC_URI = "git://github.com/libgd/libgd.git;branch=master;protocol=https \ " SRCREV = "b079fa06223c3ab862c8f0eea58a968727971988" diff --git a/meta-oe/recipes-support/gflags/gflags_2.2.2.bb b/meta-oe/recipes-support/gflags/gflags_2.2.2.bb index 6eea0c00ec..4379c2d9e1 100644 --- a/meta-oe/recipes-support/gflags/gflags_2.2.2.bb +++ b/meta-oe/recipes-support/gflags/gflags_2.2.2.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/gflags/gflags" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING.txt;md5=c80d1a3b623f72bb85a4c75b556551df" -SRC_URI = "git://github.com/gflags/gflags.git" +SRC_URI = "git://github.com/gflags/gflags.git;branch=master;protocol=https" SRCREV = "e171aa2d15ed9eb17054558e0b3a6a413bb01067" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/glog/glog_0.3.5.bb b/meta-oe/recipes-support/glog/glog_0.3.5.bb index 56bf515544..55ca838cd7 100644 --- a/meta-oe/recipes-support/glog/glog_0.3.5.bb +++ b/meta-oe/recipes-support/glog/glog_0.3.5.bb @@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=dc9db360e0bbd4e46672f3fd91dd6c4b" SRC_URI = " \ - git://github.com/google/glog.git;nobranch=1 \ + git://github.com/google/glog.git;nobranch=1;protocol=https \ file://0001-Rework-CMake-glog-VERSION-management.patch \ file://0002-Find-Libunwind-during-configure.patch \ file://0003-installation-path-fix.patch \ diff --git a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb b/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb index 146747eee1..ac46b5676c 100644 --- a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb +++ b/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb @@ -13,7 +13,7 @@ LICENSE = "LGPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=56a22a6e5bcce45e2c8ac184f81412b5" SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3" -SRC_URI = "git://git.sv.gnu.org/gnulib.git \ +SRC_URI = "git://git.sv.gnu.org/gnulib.git;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb b/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb index b7b7839313..1a1f7db5cf 100644 --- a/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb +++ b/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=762732742c73dc6c7fbe8632f06c059a" SRCREV = "db7aa547abb5abdd558587a15502584cbc825438" -SRC_URI = "git://github.com/gperftools/gperftools \ +SRC_URI = "git://github.com/gperftools/gperftools;branch=master;protocol=https \ file://0001-Support-Atomic-ops-on-clang.patch \ file://0001-fix-build-with-musl-libc.patch \ file://0001-disbale-heap-checkers-and-debug-allocator-on-musl.patch \ diff --git a/meta-oe/recipes-support/gpm/gpm_git.bb b/meta-oe/recipes-support/gpm/gpm_git.bb index 3800d147f9..6bf071d89e 100644 --- a/meta-oe/recipes-support/gpm/gpm_git.bb +++ b/meta-oe/recipes-support/gpm/gpm_git.bb @@ -13,7 +13,7 @@ SRCREV = "1fd19417b8a4dd9945347e98dfa97e4cfd798d77" DEPENDS = "ncurses bison-native" -SRC_URI = "git://github.com/telmich/gpm;protocol=git \ +SRC_URI = "git://github.com/telmich/gpm;protocol=https;branch=master \ file://init \ file://gpm.service.in \ file://0001-Use-sigemptyset-API-instead-of-__sigemptyset.patch \ diff --git a/meta-oe/recipes-support/hidapi/hidapi_git.bb b/meta-oe/recipes-support/hidapi/hidapi_git.bb index a34797ff51..1cc3acac2c 100644 --- a/meta-oe/recipes-support/hidapi/hidapi_git.bb +++ b/meta-oe/recipes-support/hidapi/hidapi_git.bb @@ -8,7 +8,7 @@ DEPENDS = "libusb udev" PV = "0.7.99+0.8.0-rc1+git${SRCPV}" SRCREV = "d17db57b9d4354752e0af42f5f33007a42ef2906" -SRC_URI = "git://github.com/signal11/hidapi.git" +SRC_URI = "git://github.com/signal11/hidapi.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb b/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb index 3da67d1e3a..2e902ca4cb 100644 --- a/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb +++ b/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb @@ -135,7 +135,7 @@ RDEPENDS_${PN} = "hunspell" PV = "0.0.0+git${SRCPV}" SRCREV = "820a65e539e34a3a8c2a855d2450b84745c624ee" -SRC_URI = "git://github.com/wooorm/dictionaries.git" +SRC_URI = "git://github.com/wooorm/dictionaries.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb b/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb index c2fb4fa05b..63d68ea06b 100644 --- a/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb +++ b/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = " \ " SRCREV = "4ddd8ed5ca6484b930b111aec50c2750a6119a0f" -SRC_URI = "git://github.com/${BPN}/${BPN}.git" +SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/hwdata/hwdata_git.bb b/meta-oe/recipes-support/hwdata/hwdata_git.bb index 5f3e3f686a..1d0c640003 100644 --- a/meta-oe/recipes-support/hwdata/hwdata_git.bb +++ b/meta-oe/recipes-support/hwdata/hwdata_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=1556547711e8246992b999edd9445a57" PV = "0.333" SRCREV = "2de52be0d00015fa6cde70bb845fa9b86cf6f420" -SRC_URI = "git://github.com/vcrhonek/${BPN}.git" +SRC_URI = "git://github.com/vcrhonek/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/iksemel/iksemel_1.5.bb b/meta-oe/recipes-support/iksemel/iksemel_1.5.bb index 986984d1ff..ac23630d01 100644 --- a/meta-oe/recipes-support/iksemel/iksemel_1.5.bb +++ b/meta-oe/recipes-support/iksemel/iksemel_1.5.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" SRCREV = "978b733462e41efd5db72bc9974cb3b0d1d5f6fa" PV = "1.5+git${SRCPV}" -SRC_URI = "git://github.com/meduketto/iksemel.git;protocol=https \ +SRC_URI = "git://github.com/meduketto/iksemel.git;protocol=https;branch=master \ file://fix-configure-option-parsing.patch \ file://avoid-obsolete-gnutls-apis.patch" diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb index 3f7d06e261..21f51ff155 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb @@ -10,7 +10,7 @@ DEPENDS = "lcms bzip2 jpeg libpng tiff zlib fftw freetype libtool" BASE_PV := "${PV}" PV .= "_13" -SRC_URI = "git://github.com/ImageMagick/ImageMagick.git " +SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=https" SRCREV = "15b935d64f613b5a0fc9d3fead5c6ec1b0e3908f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/inih/libinih_git.bb b/meta-oe/recipes-support/inih/libinih_git.bb index 227e2a7b7c..4c3c8f0fa7 100644 --- a/meta-oe/recipes-support/inih/libinih_git.bb +++ b/meta-oe/recipes-support/inih/libinih_git.bb @@ -9,7 +9,7 @@ PR = "r3" # The github repository provides a cmake and pkg-config integration SRCREV = "c858aff8c31fa63ef4d1e0176c10e5928cde9a23" -SRC_URI = "git://github.com/OSSystems/inih.git \ +SRC_URI = "git://github.com/OSSystems/inih.git;branch=master;protocol=https \ " UPSTREAM_CHECK_COMMITS = "1" diff --git a/meta-oe/recipes-support/iniparser/iniparser_4.1.bb b/meta-oe/recipes-support/iniparser/iniparser_4.1.bb index f4b553a578..f3593fb5ff 100644 --- a/meta-oe/recipes-support/iniparser/iniparser_4.1.bb +++ b/meta-oe/recipes-support/iniparser/iniparser_4.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e02baf71c76e0650e667d7da133379ac" DEPENDS = "doxygen-native" -SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https \ +SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https;branch=master \ file://Add-CMake-support.patch" # tag 4.1 diff --git a/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb b/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb index f42abeb2ba..1d84bfd498 100644 --- a/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb +++ b/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ac6c26e52aea428ee7f56dc2c56424c6" SRCREV = "cfa93aa19f81d85b63cd64da30c7499890d4c07d" PV = "3.20.2.2" -SRC_URI = "git://github.com/rvoicilas/${BPN} \ +SRC_URI = "git://github.com/rvoicilas/${BPN};branch=master;protocol=https \ file://0001-Makefile.am-add-build-rule-for-README.patch \ " diff --git a/meta-oe/recipes-support/lcov/lcov_1.14.bb b/meta-oe/recipes-support/lcov/lcov_1.14.bb index 0cc8b31b3f..5e8fb938cf 100755 --- a/meta-oe/recipes-support/lcov/lcov_1.14.bb +++ b/meta-oe/recipes-support/lcov/lcov_1.14.bb @@ -59,7 +59,7 @@ SRC_URI[md5sum] = "0220d01753469f83921f8f41ae5054c1" SRC_URI[sha256sum] = "14995699187440e0ae4da57fe3a64adc0a3c5cf14feab971f8db38fb7d8f071a" do_install() { - oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} + oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} LCOV_PERL_PATH="/usr/bin/env perl" } BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb b/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb index 4cfb732932..d084a3b9b1 100644 --- a/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb +++ b/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LGPL;md5=2d5025d4aa3495befef8f17206a5b0a1" DEPENDS = "udev" SRCREV = "de6258940960443038b4c1651dfda3620075e870" -SRC_URI = "git://git.0pointer.de/libatasmart.git \ +SRC_URI = "git://git.0pointer.de/libatasmart.git;branch=master \ file://0001-Makefile.am-add-CFLAGS-and-LDFLAGS-definiton.patch \ " diff --git a/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch b/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch new file mode 100644 index 0000000000..ea3ddfb64b --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch @@ -0,0 +1,27 @@ +From 68f66d1583be670eb8d5f3f38dbd5dd1d63b733c Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 21:41:04 -0700 +Subject: [PATCH] example: Do not run the tests + +Upstream-Status: Inappropritate [Cross-compile specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + examples/Makefile | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/examples/Makefile b/examples/Makefile +index d9667a5..554b346 100644 +--- a/examples/Makefile ++++ b/examples/Makefile +@@ -33,11 +33,8 @@ depend: $(SOURCES) + makedepend -f- $(CFLAGS) $(SOURCES) 2> /dev/null 1> depend + + test-c-example1: c-example1 +- ./c-example1 + + test-c-example2: c-example2 +- ./c-example2 loremgibson.txt encoded.txt decoded.txt +- diff -q loremgibson.txt decoded.txt + + test: test-c-example1 test-c-example2 + diff --git a/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch b/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch new file mode 100644 index 0000000000..10ec8e14a8 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch @@ -0,0 +1,57 @@ +From ee03e265804a07a0da5028b86960031bd7ab86b2 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:01:13 -0700 +Subject: [PATCH] use BUFSIZ as buffer size + +Author: Jakub Wilk <jwilk@debian.org> +Bug: http://sourceforge.net/tracker/?func=detail&atid=785907&aid=3591336&group_id=152942 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/b64/decode.h | 3 ++- + include/b64/encode.h | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/b64/decode.h b/include/b64/decode.h +index 12b16ea..e9019f3 100644 +--- a/include/b64/decode.h ++++ b/include/b64/decode.h +@@ -8,6 +8,7 @@ For details, see http://sourceforge.net/projects/libb64 + #ifndef BASE64_DECODE_H + #define BASE64_DECODE_H + ++#include <cstdio> + #include <iostream> + + namespace base64 +@@ -22,7 +23,7 @@ namespace base64 + base64_decodestate _state; + int _buffersize; + +- decoder(int buffersize_in = BUFFERSIZE) ++ decoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) + {} + +diff --git a/include/b64/encode.h b/include/b64/encode.h +index 5d807d9..e7a7035 100644 +--- a/include/b64/encode.h ++++ b/include/b64/encode.h +@@ -8,6 +8,7 @@ For details, see http://sourceforge.net/projects/libb64 + #ifndef BASE64_ENCODE_H + #define BASE64_ENCODE_H + ++#include <cstdio> + #include <iostream> + + namespace base64 +@@ -22,7 +23,7 @@ namespace base64 + base64_encodestate _state; + int _buffersize; + +- encoder(int buffersize_in = BUFFERSIZE) ++ encoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) + {} + diff --git a/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch b/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch new file mode 100644 index 0000000000..8854bb6af4 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch @@ -0,0 +1,77 @@ +From 7b30fbc3d47dfaf38d8ce8b8949a69d2984dac76 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:06:03 -0700 +Subject: [PATCH] fix integer overflows + +Author: Jakub Wilk <jwilk@debian.org> +Bug: http://sourceforge.net/tracker/?func=detail&aid=3591129&group_id=152942&atid=785907 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cdecode.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/cdecode.c b/src/cdecode.c +index a6c0a42..4e47e9f 100644 +--- a/src/cdecode.c ++++ b/src/cdecode.c +@@ -9,10 +9,11 @@ For details, see http://sourceforge.net/projects/libb64 + + int base64_decode_value(char value_in) + { +- static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; ++ static const signed char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; + static const char decoding_size = sizeof(decoding); ++ if (value_in < 43) return -1; + value_in -= 43; +- if (value_in < 0 || value_in >= decoding_size) return -1; ++ if (value_in > decoding_size) return -1; + return decoding[(int)value_in]; + } + +@@ -26,7 +27,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + { + const char* codechar = code_in; + char* plainchar = plaintext_out; +- char fragment; ++ int fragment; + + *plainchar = state_in->plainchar; + +@@ -42,7 +43,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar = (fragment & 0x03f) << 2; + case step_b: +@@ -53,7 +54,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x030) >> 4; + *plainchar = (fragment & 0x00f) << 4; +@@ -65,7 +66,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x03c) >> 2; + *plainchar = (fragment & 0x003) << 6; +@@ -77,7 +78,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x03f); + } diff --git a/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch b/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch new file mode 100644 index 0000000000..e19dbad08d --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch @@ -0,0 +1,26 @@ +From 8144fd9e02bd5ccd1e080297b19a1e9eb4d3ff96 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:07:15 -0700 +Subject: [PATCH] Fix off by one error + +Launchpad bug #1501176 reported by William McCall on 2015-09-30 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cdecode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cdecode.c b/src/cdecode.c +index 4e47e9f..45da4e1 100644 +--- a/src/cdecode.c ++++ b/src/cdecode.c +@@ -13,7 +13,7 @@ int base64_decode_value(char value_in) + static const char decoding_size = sizeof(decoding); + if (value_in < 43) return -1; + value_in -= 43; +- if (value_in > decoding_size) return -1; ++ if (value_in >= decoding_size) return -1; + return decoding[(int)value_in]; + } + diff --git a/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch b/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch new file mode 100644 index 0000000000..e93015ee48 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch @@ -0,0 +1,40 @@ +From a7914d5ffee6ffdfb3f2b8ebcc22c8367d078301 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:08:43 -0700 +Subject: [PATCH] make overriding CFLAGS possible + +Author: Jakub Wilk <jwilk@debian.org> + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + base64/Makefile | 2 +- + src/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base64/Makefile b/base64/Makefile +index 30a2c5c..783a248 100644 +--- a/base64/Makefile ++++ b/base64/Makefile +@@ -3,7 +3,7 @@ BINARIES = base64 + # Build flags (uncomment one) + ############################# + # Release build flags +-CFLAGS += -O3 ++CFLAGS ?= -O3 + ############################# + # Debug build flags + #CFLAGS += -g +diff --git a/src/Makefile b/src/Makefile +index 28b2382..48801fc 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -3,7 +3,7 @@ LIBRARIES = libb64.a + # Build flags (uncomment one) + ############################# + # Release build flags +-CFLAGS += -O3 ++CFLAGS ?= -O3 + ############################# + # Debug build flags + #CFLAGS += -g diff --git a/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch b/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch new file mode 100644 index 0000000000..9ba08c87ee --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch @@ -0,0 +1,27 @@ +From a1b9bb4af819ed389675f16e4a521efeda4cc3f3 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:10:48 -0700 +Subject: [PATCH] do not export the CHARS_PER_LINE variable + +The library exports a variable named "CHARS_PER_LINE". This is a generic name that could conflict with a name in user's code. +Please either rename the variable or make it static. + +Upstream-Status: Submitted [http://sourceforge.net/tracker/?func=detail&aid=3591420&group_id=152942&atid=785907] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cencode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cencode.c b/src/cencode.c +index 03ba5b6..3df62a8 100644 +--- a/src/cencode.c ++++ b/src/cencode.c +@@ -7,7 +7,7 @@ For details, see http://sourceforge.net/projects/libb64 + + #include <b64/cencode.h> + +-const int CHARS_PER_LINE = 72; ++static const int CHARS_PER_LINE = 72; + + void base64_init_encodestate(base64_encodestate* state_in) + { diff --git a/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch b/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch new file mode 100644 index 0000000000..fdf8339bed --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch @@ -0,0 +1,44 @@ +From c1ba44d83cc7d9d756cfb063717852eae9d03328 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:12:41 -0700 +Subject: [PATCH] initialize encoder/decoder state in the constructors + +Author: Jakub Wilk <jwilk@debian.org> + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/b64/decode.h | 4 +++- + include/b64/encode.h | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/include/b64/decode.h b/include/b64/decode.h +index e9019f3..aefb7bc 100644 +--- a/include/b64/decode.h ++++ b/include/b64/decode.h +@@ -25,7 +25,9 @@ namespace base64 + + decoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) +- {} ++ { ++ base64_init_decodestate(&_state); ++ } + + int decode(char value_in) + { +diff --git a/include/b64/encode.h b/include/b64/encode.h +index e7a7035..33848b3 100644 +--- a/include/b64/encode.h ++++ b/include/b64/encode.h +@@ -25,7 +25,9 @@ namespace base64 + + encoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) +- {} ++ { ++ base64_init_encodestate(&_state); ++ } + + int encode(char value_in) + { diff --git a/meta-oe/recipes-support/libb64/libb64_1.2.1.bb b/meta-oe/recipes-support/libb64/libb64_1.2.1.bb new file mode 100644 index 0000000000..64a34fece7 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64_1.2.1.bb @@ -0,0 +1,39 @@ +SUMMARY = "Base64 Encoding/Decoding Routines" +DESCRIPTION = "base64 encoding/decoding library - runtime library \ +libb64 is a library of ANSI C routines for fast encoding/decoding data into \ +and from a base64-encoded format" +HOMEPAGE = "http://libb64.sourceforge.net/" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ce551aad762074c7ab618a0e07a8dca3" + +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}/${BP}.zip \ + file://0001-example-Do-not-run-the-tests.patch \ + file://0002-use-BUFSIZ-as-buffer-size.patch \ + file://0003-fix-integer-overflows.patch \ + file://0004-Fix-off-by-one-error.patch \ + file://0005-make-overriding-CFLAGS-possible.patch \ + file://0006-do-not-export-the-CHARS_PER_LINE-variable.patch \ + file://0007-initialize-encoder-decoder-state-in-the-constructors.patch \ + " +SRC_URI[sha256sum] = "20106f0ba95cfd9c35a13c71206643e3fb3e46512df3e2efb2fdbf87116314b2" + +PARALLEL_MAKE = "" + +CFLAGS += "-fPIC" + +do_configure () { + : +} + +do_compile () { + oe_runmake + ${CC} ${LDFLAGS} ${CFLAGS} -shared -Wl,-soname,${BPN}.so.0 src/*.o -o src/${BPN}.so.0 +} + +do_install () { + install -d ${D}${includedir}/b64 + install -Dm 0644 ${B}/src/libb64.a ${D}${libdir}/libb64.a + install -Dm 0644 ${B}/src/libb64.so.0 ${D}${libdir}/libb64.so.0 + ln -s libb64.so.0 ${D}${libdir}/libb64.so + install -Dm 0644 ${S}/include/b64/*.h ${D}${includedir}/b64/ +} diff --git a/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb b/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb index a954499c69..527de93e40 100644 --- a/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb +++ b/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb @@ -10,7 +10,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "e64e752a28a4a41b0a43cba3bedf9571c22af807" -SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master" +SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master;protocol=https" inherit gettext autotools python3native diff --git a/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb b/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb index 6fc5881c59..ac6aedfd50 100644 --- a/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb +++ b/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb @@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e612690af2f575dfd02e2e91443cea23" SRCREV = "02eace19a99ce3cd564ca4e379753d69af08c2c8" -SRC_URI = "git://github.com/USCiLab/cereal.git" +SRC_URI = "git://github.com/USCiLab/cereal.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb b/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb index 74b5e21e23..c6878577ef 100644 --- a/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb +++ b/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb @@ -8,7 +8,7 @@ DEPENDS = "libusb udev" PV = "1.0.0+git${SRCPV}" SRCREV = "655e2d544183d094f0e2d119c7e0c6206a0ddb3f" -SRC_URI = "git://github.com/cyrozap/${BPN}.git" +SRC_URI = "git://github.com/cyrozap/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libfann/libfann_git.bb b/meta-oe/recipes-support/libfann/libfann_git.bb index eae24461dc..5ab484d8a5 100644 --- a/meta-oe/recipes-support/libfann/libfann_git.bb +++ b/meta-oe/recipes-support/libfann/libfann_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=f14599a2f089f6ff8c97e2baa4e3d575" inherit cmake SRCREV ?= "7ec1fc7e5bd734f1d3c89b095e630e83c86b9be1" -SRC_URI = "git://github.com/libfann/fann.git;branch=master \ +SRC_URI = "git://github.com/libfann/fann.git;branch=master;protocol=https \ " PV = "2.2.0+git${SRCPV}" diff --git a/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb b/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb index 9b9c191049..c971491b1c 100644 --- a/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb +++ b/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f2cd5d3cccd71d62066ba619614592b" DEPENDS = "curl openssl zlib libssh2 libgcrypt" -SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v0.28" +SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v0.28;protocol=https" SRCREV = "106a5f27586504ea371528191f0ea3aac2ad432b" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libgusb/libgusb_git.bb b/meta-oe/recipes-support/libgusb/libgusb_git.bb index e3c0bdd15e..a26c234652 100644 --- a/meta-oe/recipes-support/libgusb/libgusb_git.bb +++ b/meta-oe/recipes-support/libgusb/libgusb_git.bb @@ -6,7 +6,7 @@ DEPENDS = "glib-2.0 libusb" inherit meson gobject-introspection gtk-doc gettext vala -SRC_URI = "git://github.com/hughsie/libgusb.git" +SRC_URI = "git://github.com/hughsie/libgusb.git;branch=master;protocol=https" SRCREV = "636efc0624aa2a88174220fcabc9764c13d7febf" PV = "0.3.0+git${SRCPV}" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libharu/libharu_2.3.0.bb b/meta-oe/recipes-support/libharu/libharu_2.3.0.bb index 2d1a37c421..86b5ba540f 100644 --- a/meta-oe/recipes-support/libharu/libharu_2.3.0.bb +++ b/meta-oe/recipes-support/libharu/libharu_2.3.0.bb @@ -6,7 +6,7 @@ DESCRIPTION = "libHaru is a library for generating PDF files. \ LICENSE = "Zlib" LIC_FILES_CHKSUM = "file://README;md5=3ee6bc1f64d9cc7907f44840c8e50cb1" -SRC_URI = "git://github.com/libharu/libharu.git;branch=2_3 \ +SRC_URI = "git://github.com/libharu/libharu.git;branch=2_3;protocol=https \ file://libharu-RELEASE_2_3_0_cmake.patch \ " diff --git a/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-oe/recipes-support/libiio/libiio_git.bb index f83d9c9225..8fbe474485 100644 --- a/meta-oe/recipes-support/libiio/libiio_git.bb +++ b/meta-oe/recipes-support/libiio/libiio_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c" SRCREV = "5f5af2e417129ad8f4e05fc5c1b730f0694dca12" PV = "0.19+git${SRCPV}" -SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https" +SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=main" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch new file mode 100644 index 0000000000..ff792d4daa --- /dev/null +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch @@ -0,0 +1,158 @@ +From 86d9a61be6395220714b1a50d5144e65668961f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernst=20Sj=C3=B6strand?= <ernst.sjostrand@verisure.com> +Date: Tue, 21 Dec 2021 11:05:22 +0000 +Subject: [PATCH] Fix buffer overflow in url parser and add test + +Reference: +https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241 + +Upstream-Status: Backport +CVE: CVE-2021-3466 + +Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com> +--- + src/microhttpd/postprocessor.c | 18 ++++++-- + src/microhttpd/test_postprocessor.c | 66 +++++++++++++++++++++++++++++ + 2 files changed, 80 insertions(+), 4 deletions(-) + +diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c +index b7f6b10..ebd1686 100644 +--- a/src/microhttpd/postprocessor.c ++++ b/src/microhttpd/postprocessor.c +@@ -137,8 +137,7 @@ struct MHD_PostProcessor + void *cls; + + /** +- * Encoding as given by the headers of the +- * connection. ++ * Encoding as given by the headers of the connection. + */ + const char *encoding; + +@@ -586,7 +585,7 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + pp->state = PP_Error; + break; + case PP_Callback: +- if ( (pp->buffer_pos + (end_key - start_key) > ++ if ( (pp->buffer_pos + (end_key - start_key) >= + pp->buffer_size) || + (pp->buffer_pos + (end_key - start_key) < + pp->buffer_pos) ) +@@ -636,6 +635,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + { + if (NULL == end_key) + end_key = &post_data[poff]; ++ if (pp->buffer_pos + (end_key - start_key) >= pp->buffer_size) ++ { ++ pp->state = PP_Error; ++ return MHD_NO; ++ } + memcpy (&kbuf[pp->buffer_pos], + start_key, + end_key - start_key); +@@ -663,6 +667,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + last_escape); + pp->must_ikvi = false; + } ++ if (PP_Error == pp->state) ++ { ++ /* State in error, returning failure */ ++ return MHD_NO; ++ } + return MHD_YES; + } + +@@ -1424,7 +1433,8 @@ MHD_destroy_post_processor (struct MHD_PostProcessor *pp) + the post-processing may have been interrupted + at any stage */ + if ( (pp->xbuf_pos > 0) || +- (pp->state != PP_Done) ) ++ ( (pp->state != PP_Done) && ++ (pp->state != PP_Init) ) ) + ret = MHD_NO; + else + ret = MHD_YES; +diff --git a/src/microhttpd/test_postprocessor.c b/src/microhttpd/test_postprocessor.c +index 2c37565..cba486d 100644 +--- a/src/microhttpd/test_postprocessor.c ++++ b/src/microhttpd/test_postprocessor.c +@@ -451,6 +451,71 @@ test_empty_value (void) + } + + ++static enum MHD_Result ++value_checker2 (void *cls, ++ enum MHD_ValueKind kind, ++ const char *key, ++ const char *filename, ++ const char *content_type, ++ const char *transfer_encoding, ++ const char *data, ++ uint64_t off, ++ size_t size) ++{ ++ return MHD_YES; ++} ++ ++ ++static int ++test_overflow () ++{ ++ struct MHD_Connection connection; ++ struct MHD_HTTP_Header header; ++ struct MHD_PostProcessor *pp; ++ size_t i; ++ size_t j; ++ size_t delta; ++ char *buf; ++ ++ memset (&connection, 0, sizeof (struct MHD_Connection)); ++ memset (&header, 0, sizeof (struct MHD_HTTP_Header)); ++ connection.headers_received = &header; ++ header.header = MHD_HTTP_HEADER_CONTENT_TYPE; ++ header.value = MHD_HTTP_POST_ENCODING_FORM_URLENCODED; ++ header.header_size = strlen (header.header); ++ header.value_size = strlen (header.value); ++ header.kind = MHD_HEADER_KIND; ++ for (i = 128; i < 1024 * 1024; i += 1024) ++ { ++ pp = MHD_create_post_processor (&connection, ++ 1024, ++ &value_checker2, ++ NULL); ++ buf = malloc (i); ++ if (NULL == buf) ++ return 1; ++ memset (buf, 'A', i); ++ buf[i / 2] = '='; ++ delta = 1 + (MHD_random_ () % (i - 1)); ++ j = 0; ++ while (j < i) ++ { ++ if (j + delta > i) ++ delta = i - j; ++ if (MHD_NO == ++ MHD_post_process (pp, ++ &buf[j], ++ delta)) ++ break; ++ j += delta; ++ } ++ free (buf); ++ MHD_destroy_post_processor (pp); ++ } ++ return 0; ++} ++ ++ + int + main (int argc, char *const *argv) + { +@@ -463,6 +528,7 @@ main (int argc, char *const *argv) + errorCount += test_multipart (); + errorCount += test_nested_multipart (); + errorCount += test_empty_value (); ++ errorCount += test_overflow (); + if (errorCount != 0) + fprintf (stderr, "Error (code: %u)\n", errorCount); + return errorCount != 0; /* 0 == pass */ diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb index 94976d2e98..9d5e85e1ad 100644 --- a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb @@ -7,7 +7,8 @@ SECTION = "net" DEPENDS = "file" SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \ -" + file://CVE-2021-3466.patch \ + " SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74" SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307" diff --git a/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb b/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb index 590c4ebc28..fc0b1ee495 100644 --- a/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb +++ b/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb @@ -10,7 +10,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=b49da7df0ca479ef01ff7f2d799eabee" SRCREV = "50486af99b4f9b35522d7b3de40b6ce107505279" -SRC_URI += "git://github.com/LadislavSopko/mimetic/ \ +SRC_URI += "git://github.com/LadislavSopko/mimetic/;branch=master;protocol=https \ file://0001-libmimetic-Removing-test-directory-from-the-Makefile.patch \ file://0001-mimetic-Check-for-MMAP_FAILED-return-from-mmap.patch \ " diff --git a/meta-oe/recipes-support/libmxml/libmxml_3.1.bb b/meta-oe/recipes-support/libmxml/libmxml_3.1.bb index 4e77d6cc02..fd3369d8df 100644 --- a/meta-oe/recipes-support/libmxml/libmxml_3.1.bb +++ b/meta-oe/recipes-support/libmxml/libmxml_3.1.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" HOMEPAGE = "https://www.msweet.org/mxml/" BUGTRACKER = "https://github.com/michaelrsweet/mxml/issues" -SRC_URI = "git://github.com/michaelrsweet/mxml.git" +SRC_URI = "git://github.com/michaelrsweet/mxml.git;branch=master;protocol=https" SRCREV = "e483e5fd8a33386fd46967681521bdd2da2b548f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libp11/libp11_0.4.10.bb b/meta-oe/recipes-support/libp11/libp11_0.4.10.bb index 7fe0640d94..142002a262 100644 --- a/meta-oe/recipes-support/libp11/libp11_0.4.10.bb +++ b/meta-oe/recipes-support/libp11/libp11_0.4.10.bb @@ -9,7 +9,7 @@ LICENSE = "LGPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29" DEPENDS = "libtool openssl" -SRC_URI = "git://github.com/OpenSC/libp11.git" +SRC_URI = "git://github.com/OpenSC/libp11.git;branch=master;protocol=https" SRCREV = "973d31f3f58d5549ddd8b1f822ce8f72186f9d68" UPSTREAM_CHECK_GITTAGREGEX = "libp11-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-oe/recipes-support/librsync/librsync_2.3.1.bb b/meta-oe/recipes-support/librsync/librsync_2.3.1.bb index 004c93d0f9..fddece8d1f 100644 --- a/meta-oe/recipes-support/librsync/librsync_2.3.1.bb +++ b/meta-oe/recipes-support/librsync/librsync_2.3.1.bb @@ -4,7 +4,7 @@ AUTHOR = "Martin Pool, Andrew Tridgell, Donovan Baarda, Adam Schubert" LICENSE = "LGPLv2.1+" LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" -SRC_URI = "git://github.com/librsync/librsync.git" +SRC_URI = "git://github.com/librsync/librsync.git;branch=master;protocol=https" SRCREV = "27f738650c20fef1285f11d85a34e5094a71c06f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb b/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb index 8b773aefa5..f6fc0e36b6 100644 --- a/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb +++ b/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e0bfebea12a718922225ba987b2126a5" inherit autotools pkgconfig python3-dir SRCREV = "fd1ad6e7823fa76d8db0d3c5884faffa8ffddafb" -SRC_URI = "git://github.com/jackmitch/libsoc.git" +SRC_URI = "git://github.com/jackmitch/libsoc.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch new file mode 100644 index 0000000000..2944a44622 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch @@ -0,0 +1,40 @@ +From 533d881b0f4b24c72b35ecc97fa35d295d063e53 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:04:09 +0200 +Subject: [PATCH] sftpserver: Add missing NULL check for ssh_buffer_new() + +Thanks to Ramin Farajpour Cami for spotting this. + +Fixes T232 + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/sftpserver.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index 5a2110e58..b639a2ce3 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + + /* take a copy of the whole packet */ + msg->complete_message = ssh_buffer_new(); ++ if (msg->complete_message == NULL) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } ++ + ssh_buffer_add_data(msg->complete_message, + ssh_buffer_get(payload), + ssh_buffer_get_len(payload)); +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch new file mode 100644 index 0000000000..3c4ff0c614 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch @@ -0,0 +1,42 @@ +From 2782cb0495b7450bd8fe43ce4af886b66fea6c40 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:05:51 +0200 +Subject: [PATCH] sftpserver: Add missing return check for + ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/sftpserver.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b639a2ce3..9117f155f 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + return NULL; + } + +- ssh_buffer_add_data(msg->complete_message, +- ssh_buffer_get(payload), +- ssh_buffer_get_len(payload)); ++ rc = ssh_buffer_add_data(msg->complete_message, ++ ssh_buffer_get(payload), ++ ssh_buffer_get_len(payload)); ++ if (rc < 0) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } + + ssh_buffer_get_u32(payload, &msg->id); + +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch new file mode 100644 index 0000000000..03a8ac156a --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch @@ -0,0 +1,70 @@ +From 10b3ebbe61a7031a3dae97f05834442220447181 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:10:11 +0200 +Subject: [PATCH] buffer: Reformat ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/buffer.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index a2e6246af..476bc1358 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { +- buffer_verify(buffer); ++ buffer_verify(buffer); + +- if (data == NULL) { +- return -1; +- } ++ if (data == NULL) { ++ return -1; ++ } + +- if (buffer->used + len < len) { +- return -1; +- } ++ if (buffer->used + len < len) { ++ return -1; ++ } + +- if (buffer->allocated < (buffer->used + len)) { +- if(buffer->pos > 0) +- buffer_shift(buffer); +- if (realloc_buffer(buffer, buffer->used + len) < 0) { +- return -1; ++ if (buffer->allocated < (buffer->used + len)) { ++ if (buffer->pos > 0) { ++ buffer_shift(buffer); ++ } ++ if (realloc_buffer(buffer, buffer->used + len) < 0) { ++ return -1; ++ } + } +- } + +- memcpy(buffer->data+buffer->used, data, len); +- buffer->used+=len; +- buffer_verify(buffer); +- return 0; ++ memcpy(buffer->data + buffer->used, data, len); ++ buffer->used += len; ++ buffer_verify(buffer); ++ return 0; + } + + /** +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch new file mode 100644 index 0000000000..8e9a4c3f5c --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch @@ -0,0 +1,34 @@ +From 245ad744b5ab0582fef7cf3905a717b791d7e08b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:11:21 +0200 +Subject: [PATCH] buffer: Add NULL check for 'buffer' argument + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 476bc1358..ce12f491a 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { ++ if (buffer == NULL) { ++ return -1; ++ } ++ + buffer_verify(buffer); + + if (data == NULL) { +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 39ed8a8fbb..0fb07a0eb7 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -6,7 +6,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" DEPENDS = "zlib openssl libgcrypt" -SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8" +SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8 \ + file://CVE-2020-16135-1.patch \ + file://CVE-2020-16135-2.patch \ + file://CVE-2020-16135-3.patch \ + file://CVE-2020-16135-4.patch \ + " + SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch b/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch new file mode 100644 index 0000000000..49dbde737f --- /dev/null +++ b/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch @@ -0,0 +1,39 @@ +From 642eec48ff3adfdb7a9e562b6d7fc865d1733f45 Mon Sep 17 00:00:00 2001 +From: lutianxiong <lutianxiong@huawei.com> +Date: Fri, 29 May 2020 01:25:40 +0800 +Subject: [PATCH] transport.c: fix use-of-uninitialized-value (#476) + +file:transport.c + +notes: +return error if malloc(0) + +credit: +lutianxiong + +Bug: https://github.com/libssh2/libssh2/pull/476 +Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 +& +https://github.com/libssh2/libssh2/commit/0b44e558f311671f6e6d14c559bc1c9bda59b8df] +CVE: CVE-2020-22218 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 45e445c..35e7df3 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -465,7 +465,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + * or less (including length, padding length, payload, + * padding, and MAC.)." + */ +- if(total_num > LIBSSH2_PACKET_MAXPAYLOAD) { ++ if(total_num > LIBSSH2_PACKET_MAXPAYLOAD || total_num == 0) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb index c1f337a440..e11e663769 100644 --- a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb +++ b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://CVE-2019-17498.patch \ + file://CVE-2020-22218.patch \ " SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927" SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd" diff --git a/meta-oe/recipes-support/libteam/libteam_1.30.bb b/meta-oe/recipes-support/libteam/libteam_1.30.bb index 9cd02b0c09..d04660ca10 100644 --- a/meta-oe/recipes-support/libteam/libteam_1.30.bb +++ b/meta-oe/recipes-support/libteam/libteam_1.30.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" DEPENDS = "libnl libdaemon jansson" -SRC_URI = "git://github.com/jpirko/libteam \ +SRC_URI = "git://github.com/jpirko/libteam;branch=master;protocol=https \ file://0001-include-sys-select.h-for-fd_set-definition.patch \ file://0002-teamd-Re-adjust-include-header-order.patch \ file://0001-team_basic_test.py-disable-RedHat-specific-test.patch \ diff --git a/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb b/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb index a2491cf9e6..2a33284b8a 100644 --- a/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb +++ b/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "Zlib" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=135624eef03e1f1101b9ba9ac9b5fffd" -SRC_URI = "git://github.com/leethomason/tinyxml2.git" +SRC_URI = "git://github.com/leethomason/tinyxml2.git;branch=master;protocol=https" SRCREV = "bf15233ad88390461f6ab0dbcf046cce643c5fcb" diff --git a/meta-oe/recipes-support/libusbg/libusbg_git.bb b/meta-oe/recipes-support/libusbg/libusbg_git.bb index 97d60a6a8a..6edac56fef 100644 --- a/meta-oe/recipes-support/libusbg/libusbg_git.bb +++ b/meta-oe/recipes-support/libusbg/libusbg_git.bb @@ -8,7 +8,7 @@ inherit autotools PV = "0.1.0" SRCREV = "a826d136e0e8fa53815f1ba05893e6dd74208c15" -SRC_URI = "git://github.com/libusbg/libusbg.git \ +SRC_URI = "git://github.com/libusbg/libusbg.git;branch=master;protocol=https \ file://0001-Fix-out-of-tree-builds.patch \ " diff --git a/meta-oe/recipes-support/libusbgx/libusbgx_git.bb b/meta-oe/recipes-support/libusbgx/libusbgx_git.bb index d73ca61060..b88941d6e3 100644 --- a/meta-oe/recipes-support/libusbgx/libusbgx_git.bb +++ b/meta-oe/recipes-support/libusbgx/libusbgx_git.bb @@ -11,7 +11,7 @@ PV = "0.2.0+git${SRCPV}" SRCREV = "45c14ef4d5d7ced0fbf984208de44ced6d5ed898" SRCBRANCH = "master" SRC_URI = " \ - git://github.com/libusbgx/libusbgx.git;branch=${SRCBRANCH} \ + git://github.com/libusbgx/libusbgx.git;branch=${SRCBRANCH};protocol=https \ file://gadget-start \ file://usbgx.initd \ file://usbgx.service \ diff --git a/meta-oe/recipes-support/libutempter/libutempter.bb b/meta-oe/recipes-support/libutempter/libutempter.bb index b8a700b7b7..d259f166d1 100644 --- a/meta-oe/recipes-support/libutempter/libutempter.bb +++ b/meta-oe/recipes-support/libutempter/libutempter.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" SRCREV = "3ef74fff310f09e2601e241b9f042cd39d591018" PV = "1.1.6-alt2+git${SRCPV}" -SRC_URI = "git://git.altlinux.org/people/ldv/packages/libutempter.git \ +SRC_URI = "git://git.altlinux.org/people/ldv/packages/libutempter.git;branch=master \ file://0001-Fix-macro-error.patch \ file://0002-Proper-macro-path-generation.patch \ file://libutempter-remove-glibc-assumption.patch \ diff --git a/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb b/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb index 0fb4a6e516..aab81461a4 100644 --- a/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb +++ b/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://debian/copyright;md5=c3ea231a32635cbb5debedf3e88aa3df PV = "4.1+git${SRCPV}" -SRC_URI = "git://github.com/Datera/lio-utils.git \ +SRC_URI = "git://github.com/Datera/lio-utils.git;branch=master;protocol=https \ file://0001-Makefiles-Respect-environment-variables-and-add-LDFL.patch \ " SRCREV = "0ac9091c1ff7a52d5435a4f4449e82637142e06e" diff --git a/meta-oe/recipes-support/lvm2/lvm2.inc b/meta-oe/recipes-support/lvm2/lvm2.inc index 01c9df45c1..d0fb33d118 100644 --- a/meta-oe/recipes-support/lvm2/lvm2.inc +++ b/meta-oe/recipes-support/lvm2/lvm2.inc @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12713b4d9386533feeb07d6e4831765a \ DEPENDS += "libaio" -SRC_URI = "git://sourceware.org/git/lvm2.git \ +SRC_URI = "git://sourceware.org/git/lvm2.git;branch=master \ file://lvm.conf \ file://0001-implement-libc-specific-reopen_stream.patch \ file://0002-Guard-use-of-mallinfo-with-__GLIBC__.patch \ @@ -19,12 +19,11 @@ SRC_URI = "git://sourceware.org/git/lvm2.git \ SRCREV = "b9391b1b9f0b73303fa21f8f92574d17ce4c2b02" S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig systemd license +inherit autotools-brokensep pkgconfig systemd LVM2_PACKAGECONFIG = "dmeventd" LVM2_PACKAGECONFIG_append_class-target = " \ ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - ${@incompatible_license_contains('GPLv3', '', 'thin-provisioning-tools', d)} \ " # odirect is always enabled because there currently is a bug in @@ -37,6 +36,7 @@ PACKAGECONFIG[dmeventd] = "--enable-dmeventd,--disable-dmeventd" PACKAGECONFIG[odirect] = "--enable-o_direct,--disable-o_direct" PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" +# NOTE: Add thin-provisioning-tools only if your distro policy allows GPL-3.0 license PACKAGECONFIG[thin-provisioning-tools] = "--with-thin=internal,--with-thin=none,,thin-provisioning-tools" # Unset user/group to unbreak install. @@ -53,4 +53,3 @@ EXTRA_OECONF = "--with-user= \ --with-thin-repair=${sbindir}/thin_repair \ --with-thin-restore=${sbindir}/thin_restore \ " - diff --git a/meta-oe/recipes-support/mcelog/mce-inject_git.bb b/meta-oe/recipes-support/mcelog/mce-inject_git.bb index cc33cbaf28..8241bd2342 100644 --- a/meta-oe/recipes-support/mcelog/mce-inject_git.bb +++ b/meta-oe/recipes-support/mcelog/mce-inject_git.bb @@ -4,7 +4,7 @@ software level into a running Linux kernel. This is intended for \ validation of the kernel machine check handler." SECTION = "System Environment/Base" -SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git" +SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git;branch=master" SRCREV = "4cbe46321b4a81365ff3aafafe63967264dbfec5" diff --git a/meta-oe/recipes-support/mcelog/mce-test_git.bb b/meta-oe/recipes-support/mcelog/mce-test_git.bb index 35fb944702..f245515216 100644 --- a/meta-oe/recipes-support/mcelog/mce-test_git.bb +++ b/meta-oe/recipes-support/mcelog/mce-test_git.bb @@ -10,7 +10,7 @@ containment and recovery, ACPI/APEI support etc." LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-test.git;protocol=git \ +SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-test.git;protocol=git;branch=master \ file://makefile-remove-ldflags.patch \ file://0001-gcov_merge.py-scov_merge.py-switch-to-python3.patch \ " diff --git a/meta-oe/recipes-support/mcelog/mcelog_168.bb b/meta-oe/recipes-support/mcelog/mcelog_168.bb index e2ef6ea589..c464132176 100644 --- a/meta-oe/recipes-support/mcelog/mcelog_168.bb +++ b/meta-oe/recipes-support/mcelog/mcelog_168.bb @@ -5,7 +5,7 @@ and should run on all Linux systems that need error handling." HOMEPAGE = "http://mcelog.org/" SECTION = "System Environment/Base" -SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git;protocol=http; \ +SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git;protocol=http;branch=master \ file://run-ptest \ " diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch new file mode 100644 index 0000000000..d06ef44f68 --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch @@ -0,0 +1,154 @@ +From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001 +From: Martin Wilck <mwilck@suse.com> +Date: Thu, 1 Sep 2022 19:21:30 +0200 +Subject: [PATCH] multipath-tools: use /run instead of /dev/shm + +/dev/shm may have unsafe permissions. Use /run instead. +Use systemd's tmpfiles.d mechanism to create /run/multipath +early during boot. + +For backward compatibilty, make the runtime directory configurable +via the "runtimedir" make variable. + +Signed-off-by: Martin Wilck <mwilck@suse.com> +Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com> + +CVE: CVE-2022-41973 +Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .gitignore | 2 ++ + Makefile.inc | 7 ++++++- + libmultipath/defaults.h | 3 +-- + multipath/Makefile | 11 ++++++++--- + multipath/{multipath.rules => multipath.rules.in} | 4 ++-- + multipath/tmpfiles.conf.in | 1 + + 6 files changed, 20 insertions(+), 8 deletions(-) + rename multipath/{multipath.rules => multipath.rules.in} (95%) + create mode 100644 multipath/tmpfiles.conf.in + +diff --git a/.gitignore b/.gitignore +index 9926756b..f90b0350 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -8,6 +8,8 @@ + *.d + kpartx/kpartx + multipath/multipath ++multipath/multipath.rules ++multipath/tmpfiles.conf + multipathd/multipathd + mpathpersist/mpathpersist + .nfs* +diff --git a/Makefile.inc b/Makefile.inc +index 4eb08eed..648f91b4 100644 +--- a/Makefile.inc ++++ b/Makefile.inc +@@ -44,6 +44,7 @@ exec_prefix = $(prefix) + usr_prefix = $(prefix) + bindir = $(exec_prefix)/usr/sbin + libudevdir = $(prefix)/$(SYSTEMDPATH)/udev ++tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d + udevrulesdir = $(libudevdir)/rules.d + multipathdir = $(TOPDIR)/libmultipath + man8dir = $(prefix)/usr/share/man/man8 +@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp + nvmedir = $(TOPDIR)/libmultipath/nvme + includedir = $(prefix)/usr/include + pkgconfdir = $(usrlibdir)/pkgconfig ++runtimedir := /$(RUN) + + GZIP = gzip -9 -c + RM = rm -f +@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \ + -Wno-unused-parameter -Werror=cast-qual \ + -Werror=discarded-qualifiers + +-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2 ++CPPFLAGS := $(FORTIFY_OPT) \ ++ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \ ++ -DRUNTIME_DIR=\"$(runtimedir)\" \ ++ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP + CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \ + -MMD -MP $(CFLAGS) + BIN_CFLAGS = -fPIE -DPIE +diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h +index c2164c16..908e0ca3 100644 +--- a/libmultipath/defaults.h ++++ b/libmultipath/defaults.h +@@ -64,8 +64,7 @@ + #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids" + #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys" + #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d" +-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/" +- ++#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/" + + static inline char *set_default(char *str) + { +diff --git a/multipath/Makefile b/multipath/Makefile +index e720c7f6..28976546 100644 +--- a/multipath/Makefile ++++ b/multipath/Makefile +@@ -12,7 +12,7 @@ EXEC = multipath + + OBJS = main.o + +-all: $(EXEC) ++all: $(EXEC) multipath.rules tmpfiles.conf + + $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so + $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS) +@@ -26,7 +26,9 @@ install: + $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/ + $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir) + $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir) +- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules ++ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules ++ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir) ++ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir) +@@ -43,9 +45,12 @@ uninstall: + $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz + + clean: dep_clean +- $(RM) core *.o $(EXEC) *.gz ++ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf + + include $(wildcard $(OBJS:.o=.d)) + + dep_clean: + $(RM) $(OBJS:.o=.d) ++ ++%: %.in ++ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@ +diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in +similarity index 95% +rename from multipath/multipath.rules +rename to multipath/multipath.rules.in +index 0486bf70..5fb499e6 100644 +--- a/multipath/multipath.rules ++++ b/multipath/multipath.rules.in +@@ -1,8 +1,8 @@ + # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath + SUBSYSTEM!="block", GOTO="end_mpath" + KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath" +-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \ +- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor" ++ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \ ++ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor" + ACTION!="add|change", GOTO="end_mpath" + + IMPORT{cmdline}="nompath" +diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in +new file mode 100644 +index 00000000..21be438a +--- /dev/null ++++ b/multipath/tmpfiles.conf.in +@@ -0,0 +1 @@ ++d @RUNTIME_DIR@/multipath 0700 root root - +-- +2.25.1 + diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch new file mode 100644 index 0000000000..dcc2cd49ef --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch @@ -0,0 +1,162 @@ +From 0168696f95b5c610c3861ced8ef98accd1a83b91 Mon Sep 17 00:00:00 2001 +From: Benjamin Marzinski <bmarzins@redhat.com> +Date: Tue, 27 Sep 2022 12:36:37 +0200 +Subject: [PATCH] multipathd: ignore duplicated multipathd command keys + +multipath adds rather than or-s the values of command keys. Fix this. +Also, return an invalid fingerprint if a key is used more than once. + +References: +https://nvd.nist.gov/vuln/detail/CVE-2022-41974 +https://github.com/opensvc/multipath-tools/issues/59 + +Upstream-Status: Backport [https://github.com/openSUSE/multipath-tools/commit/fbbf280a0e26026c19879d938ebb2a8200b6357c] +CVE: CVE-2022-41974 + +Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + multipathd/cli.c | 8 ++-- + multipathd/main.c | 104 +++++++++++++++++++++++----------------------- + 2 files changed, 57 insertions(+), 55 deletions(-) + +diff --git a/multipathd/cli.c b/multipathd/cli.c +index 800c0fbe..0a266761 100644 +--- a/multipathd/cli.c ++++ b/multipathd/cli.c +@@ -336,9 +336,11 @@ fingerprint(vector vec) + if (!vec) + return 0; + +- vector_foreach_slot(vec, kw, i) +- fp += kw->code; +- ++ vector_foreach_slot(vec, kw, i) { ++ if (fp & kw->code) ++ return (uint64_t)-1; ++ fp |= kw->code; ++ } + return fp; + } + +diff --git a/multipathd/main.c b/multipathd/main.c +index 8baf9abe..975287d2 100644 +--- a/multipathd/main.c ++++ b/multipathd/main.c +@@ -1522,61 +1522,61 @@ uxlsnrloop (void * ap) + /* Tell main thread that thread has started */ + post_config_state(DAEMON_CONFIGURE); + +- set_handler_callback(LIST+PATHS, cli_list_paths); +- set_handler_callback(LIST+PATHS+FMT, cli_list_paths_fmt); +- set_handler_callback(LIST+PATHS+RAW+FMT, cli_list_paths_raw); +- set_handler_callback(LIST+PATH, cli_list_path); +- set_handler_callback(LIST+MAPS, cli_list_maps); +- set_handler_callback(LIST+STATUS, cli_list_status); +- set_unlocked_handler_callback(LIST+DAEMON, cli_list_daemon); +- set_handler_callback(LIST+MAPS+STATUS, cli_list_maps_status); +- set_handler_callback(LIST+MAPS+STATS, cli_list_maps_stats); +- set_handler_callback(LIST+MAPS+FMT, cli_list_maps_fmt); +- set_handler_callback(LIST+MAPS+RAW+FMT, cli_list_maps_raw); +- set_handler_callback(LIST+MAPS+TOPOLOGY, cli_list_maps_topology); +- set_handler_callback(LIST+TOPOLOGY, cli_list_maps_topology); +- set_handler_callback(LIST+MAPS+JSON, cli_list_maps_json); +- set_handler_callback(LIST+MAP+TOPOLOGY, cli_list_map_topology); +- set_handler_callback(LIST+MAP+FMT, cli_list_map_fmt); +- set_handler_callback(LIST+MAP+RAW+FMT, cli_list_map_fmt); +- set_handler_callback(LIST+MAP+JSON, cli_list_map_json); +- set_handler_callback(LIST+CONFIG+LOCAL, cli_list_config_local); +- set_handler_callback(LIST+CONFIG, cli_list_config); +- set_handler_callback(LIST+BLACKLIST, cli_list_blacklist); +- set_handler_callback(LIST+DEVICES, cli_list_devices); +- set_handler_callback(LIST+WILDCARDS, cli_list_wildcards); +- set_handler_callback(RESET+MAPS+STATS, cli_reset_maps_stats); +- set_handler_callback(RESET+MAP+STATS, cli_reset_map_stats); +- set_handler_callback(ADD+PATH, cli_add_path); +- set_handler_callback(DEL+PATH, cli_del_path); +- set_handler_callback(ADD+MAP, cli_add_map); +- set_handler_callback(DEL+MAP, cli_del_map); +- set_handler_callback(SWITCH+MAP+GROUP, cli_switch_group); ++ set_handler_callback(LIST|PATHS, cli_list_paths); ++ set_handler_callback(LIST|PATHS|FMT, cli_list_paths_fmt); ++ set_handler_callback(LIST|PATHS|RAW|FMT, cli_list_paths_raw); ++ set_handler_callback(LIST|PATH, cli_list_path); ++ set_handler_callback(LIST|MAPS, cli_list_maps); ++ set_handler_callback(LIST|STATUS, cli_list_status); ++ set_unlocked_handler_callback(LIST|DAEMON, cli_list_daemon); ++ set_handler_callback(LIST|MAPS|STATUS, cli_list_maps_status); ++ set_handler_callback(LIST|MAPS|STATS, cli_list_maps_stats); ++ set_handler_callback(LIST|MAPS|FMT, cli_list_maps_fmt); ++ set_handler_callback(LIST|MAPS|RAW|FMT, cli_list_maps_raw); ++ set_handler_callback(LIST|MAPS|TOPOLOGY, cli_list_maps_topology); ++ set_handler_callback(LIST|TOPOLOGY, cli_list_maps_topology); ++ set_handler_callback(LIST|MAPS|JSON, cli_list_maps_json); ++ set_handler_callback(LIST|MAP|TOPOLOGY, cli_list_map_topology); ++ set_handler_callback(LIST|MAP|FMT, cli_list_map_fmt); ++ set_handler_callback(LIST|MAP|RAW|FMT, cli_list_map_fmt); ++ set_handler_callback(LIST|MAP|JSON, cli_list_map_json); ++ set_handler_callback(LIST|CONFIG|LOCAL, cli_list_config_local); ++ set_handler_callback(LIST|CONFIG, cli_list_config); ++ set_handler_callback(LIST|BLACKLIST, cli_list_blacklist); ++ set_handler_callback(LIST|DEVICES, cli_list_devices); ++ set_handler_callback(LIST|WILDCARDS, cli_list_wildcards); ++ set_handler_callback(RESET|MAPS|STATS, cli_reset_maps_stats); ++ set_handler_callback(RESET|MAP|STATS, cli_reset_map_stats); ++ set_handler_callback(ADD|PATH, cli_add_path); ++ set_handler_callback(DEL|PATH, cli_del_path); ++ set_handler_callback(ADD|MAP, cli_add_map); ++ set_handler_callback(DEL|MAP, cli_del_map); ++ set_handler_callback(SWITCH|MAP|GROUP, cli_switch_group); + set_unlocked_handler_callback(RECONFIGURE, cli_reconfigure); +- set_handler_callback(SUSPEND+MAP, cli_suspend); +- set_handler_callback(RESUME+MAP, cli_resume); +- set_handler_callback(RESIZE+MAP, cli_resize); +- set_handler_callback(RELOAD+MAP, cli_reload); +- set_handler_callback(RESET+MAP, cli_reassign); +- set_handler_callback(REINSTATE+PATH, cli_reinstate); +- set_handler_callback(FAIL+PATH, cli_fail); +- set_handler_callback(DISABLEQ+MAP, cli_disable_queueing); +- set_handler_callback(RESTOREQ+MAP, cli_restore_queueing); +- set_handler_callback(DISABLEQ+MAPS, cli_disable_all_queueing); +- set_handler_callback(RESTOREQ+MAPS, cli_restore_all_queueing); ++ set_handler_callback(SUSPEND|MAP, cli_suspend); ++ set_handler_callback(RESUME|MAP, cli_resume); ++ set_handler_callback(RESIZE|MAP, cli_resize); ++ set_handler_callback(RELOAD|MAP, cli_reload); ++ set_handler_callback(RESET|MAP, cli_reassign); ++ set_handler_callback(REINSTATE|PATH, cli_reinstate); ++ set_handler_callback(FAIL|PATH, cli_fail); ++ set_handler_callback(DISABLEQ|MAP, cli_disable_queueing); ++ set_handler_callback(RESTOREQ|MAP, cli_restore_queueing); ++ set_handler_callback(DISABLEQ|MAPS, cli_disable_all_queueing); ++ set_handler_callback(RESTOREQ|MAPS, cli_restore_all_queueing); + set_unlocked_handler_callback(QUIT, cli_quit); + set_unlocked_handler_callback(SHUTDOWN, cli_shutdown); +- set_handler_callback(GETPRSTATUS+MAP, cli_getprstatus); +- set_handler_callback(SETPRSTATUS+MAP, cli_setprstatus); +- set_handler_callback(UNSETPRSTATUS+MAP, cli_unsetprstatus); +- set_handler_callback(FORCEQ+DAEMON, cli_force_no_daemon_q); +- set_handler_callback(RESTOREQ+DAEMON, cli_restore_no_daemon_q); +- set_handler_callback(GETPRKEY+MAP, cli_getprkey); +- set_handler_callback(SETPRKEY+MAP+KEY, cli_setprkey); +- set_handler_callback(UNSETPRKEY+MAP, cli_unsetprkey); +- set_handler_callback(SETMARGINAL+PATH, cli_set_marginal); +- set_handler_callback(UNSETMARGINAL+PATH, cli_unset_marginal); +- set_handler_callback(UNSETMARGINAL+MAP, cli_unset_all_marginal); ++ set_handler_callback(GETPRSTATUS|MAP, cli_getprstatus); ++ set_handler_callback(SETPRSTATUS|MAP, cli_setprstatus); ++ set_handler_callback(UNSETPRSTATUS|MAP, cli_unsetprstatus); ++ set_handler_callback(FORCEQ|DAEMON, cli_force_no_daemon_q); ++ set_handler_callback(RESTOREQ|DAEMON, cli_restore_no_daemon_q); ++ set_handler_callback(GETPRKEY|MAP, cli_getprkey); ++ set_handler_callback(SETPRKEY|MAP|KEY, cli_setprkey); ++ set_handler_callback(UNSETPRKEY|MAP, cli_unsetprkey); ++ set_handler_callback(SETMARGINAL|PATH, cli_set_marginal); ++ set_handler_callback(UNSETMARGINAL|PATH, cli_unset_marginal); ++ set_handler_callback(UNSETMARGINAL|MAP, cli_unset_all_marginal); + + umask(077); + uxsock_listen(&uxsock_trigger, ux_sock, ap); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb index 8b0c89338f..e14e494366 100644 --- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb +++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb @@ -29,7 +29,7 @@ DEPENDS = "libdevmapper \ LICENSE = "GPLv2" -SRC_URI = "git://git.opensvc.com/multipath-tools/.git;protocol=http \ +SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=master \ file://multipathd.oe \ file://multipath.conf.example \ file://0021-RH-fixup-udev-rules-for-redhat.patch \ @@ -45,6 +45,8 @@ SRC_URI = "git://git.opensvc.com/multipath-tools/.git;protocol=http \ file://0031-Always-use-devmapper-for-kpartx.patch \ file://0001-fix-bug-of-do_compile-and-do_install.patch \ file://0001-add-explicit-dependency-on-libraries.patch \ + file://CVE-2022-41973.patch \ + file://CVE-2022-41974.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" @@ -117,3 +119,6 @@ FILES_kpartx = "${base_sbindir}/kpartx \ RDEPENDS_${PN} += "kpartx" PARALLEL_MAKE = "" + +FILES:${PN}-libs += "usr/lib/*.so.*" +FILES:${PN}-libs += "usr/lib/tmpfiles.d/*" diff --git a/meta-oe/recipes-support/ne10/ne10_1.2.1.bb b/meta-oe/recipes-support/ne10/ne10_1.2.1.bb index f37ccde1cb..6cb53212a4 100644 --- a/meta-oe/recipes-support/ne10/ne10_1.2.1.bb +++ b/meta-oe/recipes-support/ne10/ne10_1.2.1.bb @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e7fe20c9be97be5579e3ab5d92d3a218" SECTION = "libs" -SRC_URI = "git://github.com/projectNe10/Ne10.git \ +SRC_URI = "git://github.com/projectNe10/Ne10.git;branch=master;protocol=https \ file://0001-CMakeLists.txt-Remove-mthumb-interwork.patch \ file://0001-Dont-specify-march-explicitly.patch \ " diff --git a/meta-oe/recipes-support/neon/neon/run-ptest b/meta-oe/recipes-support/neon/neon/run-ptest new file mode 100644 index 0000000000..602084a52c --- /dev/null +++ b/meta-oe/recipes-support/neon/neon/run-ptest @@ -0,0 +1,25 @@ +#!/bin/sh + +set -eux + +rm -f debug.log child.log + +ulimit -c unlimited +ulimit -t 120 + +cd test +echo foobar > foobar.txt + +BASIC_TESTS="auth basic redirect request session socket string-tests \ + stubs uri-tests util-tests" +DAV_TESTS="acl3744 lock oldacl props xml xmlreq" +for t in $BASIC_TESTS $DAV_TESTS +do + echo "Running $t..." + if "./$t" + then + echo "PASS:$t" + else + echo "FAIL:$t" + fi +done diff --git a/meta-oe/recipes-support/neon/neon_0.30.2.bb b/meta-oe/recipes-support/neon/neon_0.30.2.bb index 00b79f6330..7feec41d62 100644 --- a/meta-oe/recipes-support/neon/neon_0.30.2.bb +++ b/meta-oe/recipes-support/neon/neon_0.30.2.bb @@ -7,12 +7,13 @@ LIC_FILES_CHKSUM = "file://src/COPYING.LIB;md5=f30a9716ef3762e3467a2f62bf790f0a SRC_URI = "${DEBIAN_MIRROR}/main/n/neon27/neon27_${PV}.orig.tar.gz \ file://pkgconfig.patch \ + file://run-ptest \ " SRC_URI[md5sum] = "e28d77bf14032d7f5046b3930704ef41" SRC_URI[sha256sum] = "db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d3d967fbca" -inherit autotools binconfig-disabled lib_package pkgconfig +inherit autotools binconfig-disabled lib_package pkgconfig ptest # Enable gnutls or openssl, not both PACKAGECONFIG ?= "expat gnutls libproxy webdav zlib" @@ -33,6 +34,18 @@ do_compile_append() { oe_runmake -C test } +do_install_ptest(){ + BASIC_TESTS="auth basic redirect request session socket string-tests \ + stubs uri-tests util-tests" + DAV_TESTS="acl3744 lock oldacl props xml xmlreq" + mkdir "${D}${PTEST_PATH}/test" + for i in ${BASIC_TESTS} ${DAV_TESTS} + do + install -m 0755 "${B}/test/${i}" \ + "${D}${PTEST_PATH}/test" + done +} + BINCONFIG = "${bindir}/neon-config" BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch new file mode 100644 index 0000000000..b935d9eec5 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch @@ -0,0 +1,46 @@ +From 4e7e332b25a2794f381323518e52d8d95273b69e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= <fkrenzel@redhat.com> +Date: Mon, 30 Jan 2023 12:59:20 +0000 +Subject: [PATCH] Bug 1812671 - build failure while implicitly casting + SECStatus to PRUInt32. r=nss-reviewers,mt + +Author of the patch: Bob Relyea <rrelyea@redhat.com> + +Differential Revision: https://phabricator.services.mozilla.com/D167983 + +--HG-- +extra : moz-landing-system : lando +--- + lib/ssl/ssl3exthandle.c | 2 +- + lib/ssl/sslsnce.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c +index b5ae62f39..7134447bf 100644 +--- a/lib/ssl/ssl3exthandle.c ++++ b/lib/ssl/ssl3exthandle.c +@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *xtnData) + * Clients sends a filled in session ticket if one is available, and otherwise + * sends an empty ticket. Servers always send empty tickets. + */ +-PRInt32 ++SECStatus + ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, + sslBuffer *buf, PRBool *added) + { +diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c +index 56edafa1f..49f041c97 100644 +--- a/lib/ssl/sslsnce.c ++++ b/lib/ssl/sslsnce.c +@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey, + return SECSuccess; + } + +-static PRBool ++static SECStatus + ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, + PK11SymKey **aesKey, PK11SymKey **macKey); + +-- +2.40.1 + diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch new file mode 100644 index 0000000000..dc7e172aae --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch @@ -0,0 +1,75 @@ +From cbf5a2bce75ca2c2fd3e247796b9892f5298584e Mon Sep 17 00:00:00 2001 +From: "John M. Schanck" <jschanck@mozilla.com> +Date: Thu, 13 Apr 2023 17:43:46 +0000 +Subject: [PATCH] Bug 1826650 - cmd/ecperf: fix dangling pointer warning on gcc + 13. r=djackson + +Differential Revision: https://phabricator.services.mozilla.com/D174822 + +--HG-- +extra : moz-landing-system : lando +--- + cmd/ecperf/ecperf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c +index 705d68f35..a07004d8e 100644 +--- a/cmd/ecperf/ecperf.c ++++ b/cmd/ecperf/ecperf.c +@@ -53,6 +53,7 @@ PKCS11Thread(void *data) + SECItem sig; + CK_SESSION_HANDLE session; + CK_RV crv; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -68,6 +69,7 @@ PKCS11Thread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -79,6 +81,10 @@ PKCS11Thread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +@@ -89,6 +95,7 @@ genericThread(void *data) + int iters = threadData->iters; + unsigned char sigData[256]; + SECItem sig; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -96,6 +103,7 @@ genericThread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -107,6 +115,10 @@ genericThread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +-- +2.40.1 + diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch new file mode 100644 index 0000000000..a229a2d20f --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch @@ -0,0 +1,65 @@ +From 9ff9d3925d31ab265a965ab1d16d76c496ddb5c8 Mon Sep 17 00:00:00 2001 +From: Benjamin Beurdouche <bbeurdouche@mozilla.com> +Date: Sat, 18 Jul 2020 00:13:38 +0000 +Subject: [PATCH] Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by + PKCS11. r=jcj,kjacobs,rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D74801 + +--HG-- +extra : moz-landing-system : lando +--- + nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc | 11 +++++++++-- + nss/lib/freebl/chacha20poly1305.c | 2 +- + 2 files changed, 10 insertions(+), 3 deletions(-) + +CVE: CVE-2020-12403 +Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/9ff9d3925d31ab265a965ab1d16d76c496ddb5c8] +Comment: Refreshed path for whole patchset +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +diff --git a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc +index 41f9da71d6..3ea17678d9 100644 +--- a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc ++++ b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc +@@ -45,7 +45,7 @@ class Pkcs11ChaCha20Poly1305Test + SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params), + sizeof(aead_params)}; + +- // Encrypt with bad parameters. ++ // Encrypt with bad parameters (TagLen is too long). + unsigned int encrypted_len = 0; + std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen); + aead_params.ulTagLen = 158072; +@@ -54,9 +54,16 @@ class Pkcs11ChaCha20Poly1305Test + &encrypted_len, encrypted.size(), data, data_len); + EXPECT_EQ(SECFailure, rv); + EXPECT_EQ(0U, encrypted_len); +- aead_params.ulTagLen = 16; ++ ++ // Encrypt with bad parameters (TagLen is too short). ++ aead_params.ulTagLen = 2; ++ rv = PK11_Encrypt(key.get(), kMech, ¶ms, encrypted.data(), ++ &encrypted_len, encrypted.size(), data, data_len); ++ EXPECT_EQ(SECFailure, rv); ++ EXPECT_EQ(0U, encrypted_len); + + // Encrypt. ++ aead_params.ulTagLen = 16; + rv = PK11_Encrypt(key.get(), kMech, ¶ms, encrypted.data(), + &encrypted_len, encrypted.size(), data, data_len); + +diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c +index 970c6436da..5c294a9eaf 100644 +--- a/nss/lib/freebl/chacha20poly1305.c ++++ b/nss/lib/freebl/chacha20poly1305.c +@@ -81,7 +81,7 @@ ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; + } +- if (tagLen == 0 || tagLen > 16) { ++ if (tagLen != 16) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch new file mode 100644 index 0000000000..7b093d0cda --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch @@ -0,0 +1,80 @@ +From 06b2b1c50bd4eaa7f65d858e5e3f44f678cb3c45 Mon Sep 17 00:00:00 2001 +From: Benjamin Beurdouche <bbeurdouche@mozilla.com> +Date: Sat, 18 Jul 2020 00:13:14 +0000 +Subject: [PATCH] Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. + r=kjacobs,rrelyea + +Depends on D74801 + +Differential Revision: https://phabricator.services.mozilla.com/D83994 + +--HG-- +extra : moz-landing-system : lando +--- + nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc | 49 +++++++++++++++++++++ + nss/lib/softoken/pkcs11c.c | 1 + + 2 files changed, 50 insertions(+) + +CVE: CVE-2020-12403 +Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/06b2b1c50bd4eaa7f65d858e5e3f44f678cb3c45] +Comment: Refreshed path for whole patchset and removed change for pkcs11c.c +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +diff --git a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc +index 38982fd885..700750cc90 100644 +--- a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc ++++ b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc +@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) { + NSS_ShutdownContext(globalctx); + } + ++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) { ++ PK11SlotInfo* slot; ++ PK11SymKey* key; ++ PK11Context* ctx; ++ ++ NSSInitContext* globalctx = ++ NSS_InitContext("", "", "", "", NULL, ++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | ++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT); ++ ++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR; ++ ++ slot = PK11_GetInternalSlot(); ++ ASSERT_TRUE(slot); ++ ++ // Use arbitrary bytes for the ChaCha20 key and IV ++ uint8_t key_bytes[32]; ++ for (size_t i = 0; i < 32; i++) { ++ key_bytes[i] = i; ++ } ++ SECItem keyItem = {siBuffer, key_bytes, 32}; ++ ++ uint8_t iv_bytes[16]; ++ for (size_t i = 0; i < 16; i++) { ++ key_bytes[i] = i; ++ } ++ SECItem ivItem = {siBuffer, iv_bytes, 16}; ++ ++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem); ++ ++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT, ++ &keyItem, NULL); ++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param); ++ ASSERT_TRUE(key); ++ ASSERT_TRUE(ctx); ++ ++ uint8_t outbuf[128]; ++ // This is supposed to fail for Chacha20. This is because the underlying ++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for ++ // which multi-part is disabled for ChaCha20 in counter mode. ++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure); ++ ++ PK11_FreeSymKey(key); ++ PK11_FreeSlot(slot); ++ SECITEM_FreeItem(param, PR_TRUE); ++ PK11_DestroyContext(ctx, PR_TRUE); ++ NSS_ShutdownContext(globalctx); ++} ++ + } // namespace nss_test diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch new file mode 100644 index 0000000000..f30d4d32cd --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch @@ -0,0 +1,163 @@ +# HG changeset patch +# User Daiki Ueno <dueno@redhat.com> +# Date 1602524521 0 +# Node ID 57bbefa793232586d27cee83e74411171e128361 +# Parent 6e3bc17f05086854ffd2b06f7fae9371f7a0c174 +Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt + +This makes the server reject CCS when the client doesn't indicate the +use of the middlebox compatibility mode with a non-empty +ClientHello.legacy_session_id, or it sends multiple CCS in a row. + +Differential Revision: https://phabricator.services.mozilla.com/D79994 + +Upstream-Status: Backport +CVE: CVE-2020-25648 +Reference to upstream patch: https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 +Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> + +diff --color -Naur nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc +--- nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:05:47.447142660 +0100 ++++ nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:12:32.645932052 +0100 +@@ -348,6 +348,85 @@ + client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + } + ++// The server rejects a ChangeCipherSpec if the client advertises an ++// empty session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The server rejects multiple ChangeCipherSpec even if the client ++// indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ // Send CCS twice in a row ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS. ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects a ChangeCipherSpec if it advertises an empty ++// session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // Send CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects multiple ChangeCipherSpec in a row even if the ++// client indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterServerHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // the ServerHello is followed by CCS ++ // Send another CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ + // If we negotiate 1.2, we abort. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) { + EnsureTlsSetup(); +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/ssl3con.c nss-3.51.1/nss/lib/ssl/ssl3con.c +--- nss-3.51.1_old/nss/lib/ssl/ssl3con.c 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/ssl3con.c 2022-12-08 16:12:42.037994262 +0100 +@@ -6711,7 +6711,11 @@ + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { +- return sidMatch; ++ if (sidMatch) { ++ ss->ssl3.hs.allowCcs = PR_TRUE; ++ return PR_TRUE; ++ } ++ return PR_FALSE; + } + + /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ +@@ -8730,6 +8734,7 @@ + errCode = PORT_GetError(); + goto alert_loser; + } ++ ss->ssl3.hs.allowCcs = PR_TRUE; + } + + /* TLS 1.3 requires that compression include only null. */ +@@ -13058,8 +13063,15 @@ + ss->ssl3.hs.ws != idle_handshake && + cText->buf->len == 1 && + cText->buf->buf[0] == change_cipher_spec_choice) { +- /* Ignore the CCS. */ +- return SECSuccess; ++ if (ss->ssl3.hs.allowCcs) { ++ /* Ignore the first CCS. */ ++ ss->ssl3.hs.allowCcs = PR_FALSE; ++ return SECSuccess; ++ } ++ ++ /* Compatibility mode is not negotiated. */ ++ alert = unexpected_message; ++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); + } + + if (IS_DTLS(ss) || +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/sslimpl.h nss-3.51.1/nss/lib/ssl/sslimpl.h +--- nss-3.51.1_old/nss/lib/ssl/sslimpl.h 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/sslimpl.h 2022-12-08 16:12:45.106014567 +0100 +@@ -711,6 +711,10 @@ + * or received. */ + PRBool receivedCcs; /* A server received ChangeCipherSpec + * before the handshake started. */ ++ PRBool allowCcs; /* A server allows ChangeCipherSpec ++ * as the middlebox compatibility mode ++ * is explicitly indicarted by ++ * legacy_session_id in TLS 1.3 ClientHello. */ + PRBool clientCertRequested; /* True if CertificateRequest received. */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + * we use for TLS 1.3 */ diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-6829_12400.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-6829_12400.patch new file mode 100644 index 0000000000..5fb9f773a6 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-6829_12400.patch @@ -0,0 +1,19789 @@ + +# HG changeset patch +# User Billy Brumley <bbrumley@gmail.com> +# Date 1594909956 0 +# Node ID e55ab3145546ae3cf1333b43956a974675d2d25c +# Parent 688d2a7257586ba8ca7febe46e6ae43c4c1fe04e +Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea + +This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: + +[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. + +Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> +Co-authored-by: Jesús-Javier Chi-DomÃnguez <jesus.chidominguez@tuni.fi> + +Differential Revision: https://phabricator.services.mozilla.com/D79267 + +Upstream-Status: Backport +https://hg.mozilla.org/projects/nss/raw-rev/e55ab3145546ae3cf1333b43956a974675d2d25c +CVE: CVE-2020-6829 +CVE: CVE-2020-12400 +Signed-off-by Armin Kuster <akuster@mvista.com> + +diff --git a/nss/lib/freebl/ecl/ecl-priv.h b/nss/lib/freebl/ecl/ecl-priv.h +--- a/nss/lib/freebl/ecl/ecl-priv.h ++++ b/nss/lib/freebl/ecl/ecl-priv.h +@@ -240,11 +240,12 @@ mp_err ec_group_set_gfp256(ECGroup *grou + mp_err ec_group_set_gfp384(ECGroup *group, ECCurveName); + mp_err ec_group_set_gfp521(ECGroup *group, ECCurveName); + mp_err ec_group_set_gf2m163(ECGroup *group, ECCurveName name); + mp_err ec_group_set_gf2m193(ECGroup *group, ECCurveName name); + mp_err ec_group_set_gf2m233(ECGroup *group, ECCurveName name); + + /* Optimized point multiplication */ + mp_err ec_group_set_gfp256_32(ECGroup *group, ECCurveName name); ++mp_err ec_group_set_secp384r1(ECGroup *group, ECCurveName name); + + SECStatus ec_Curve25519_mul(PRUint8 *q, const PRUint8 *s, const PRUint8 *p); + #endif /* __ecl_priv_h_ */ +diff --git a/lib/freebl/ecl/ecl.c b/lib/freebl/ecl/ecl.c +--- a/nss/lib/freebl/ecl/ecl.c ++++ b/nss/lib/freebl/ecl/ecl.c +@@ -159,16 +159,26 @@ construct_ecgroup(const ECCurveName name + &order, cofactor); + if (group == NULL) { + res = MP_UNDEF; + goto CLEANUP; + } + MP_CHECKOK(ec_group_set_gfp256(group, name)); + MP_CHECKOK(ec_group_set_gfp256_32(group, name)); + break; ++ case ECCurve_SECG_PRIME_384R1: ++ group = ++ ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, ++ &order, cofactor); ++ if (group == NULL) { ++ res = MP_UNDEF; ++ goto CLEANUP; ++ } ++ MP_CHECKOK(ec_group_set_secp384r1(group, name)); ++ break; + case ECCurve_SECG_PRIME_521R1: + group = + ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, + &order, cofactor); + if (group == NULL) { + res = MP_UNDEF; + goto CLEANUP; + } +diff --git a/lib/freebl/ecl/ecp_secp384r1.c b/lib/freebl/ecl/ecp_secp384r1.c +new file mode 100644 +--- /dev/null ++++ b/nss/lib/freebl/ecl/ecp_secp384r1.c +@@ -0,0 +1,19668 @@ ++/* Autogenerated: ECCKiila https://gitlab.com/nisec/ecckiila */ ++/*- ++ * MIT License ++ * ++ * Copyright (c) 2020 Luis Rivera-Zamarripa, Jesús-Javier Chi-DomÃnguez, Billy Bob Brumley ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++#if defined(__SIZEOF_INT128__) && !defined(PEDANTIC) ++ ++#include <stdint.h> ++#include <string.h> ++#define LIMB_BITS 64 ++#define LIMB_CNT 6 ++/* Field elements */ ++typedef uint64_t fe_t[LIMB_CNT]; ++typedef uint64_t limb_t; ++ ++#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) ++#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) ++ ++/* Projective points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++ fe_t Z; ++} pt_prj_t; ++ ++/* Affine points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++} pt_aff_t; ++ ++/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ ++/*- ++ * MIT License ++ * ++ * Copyright (c) 2020 the fiat-crypto authors (see the AUTHORS file) ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++/* Autogenerated: word_by_word_montgomery --static secp384r1 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ ++/* curve description: secp384r1 */ ++/* machine_wordsize = 64 (from "64") */ ++/* requested operations: (all) */ ++/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ ++/* */ ++/* NOTE: In addition to the bounds specified above each function, all */ ++/* functions synthesized for this Montgomery arithmetic require the */ ++/* input to be strictly less than the prime modulus (m), and also */ ++/* require the input to be in the unique saturated representation. */ ++/* All functions also ensure that these two properties are true of */ ++/* return values. */ ++/* */ ++/* Computed values: */ ++/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ ++/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ ++ ++#include <stdint.h> ++typedef unsigned char fiat_secp384r1_uint1; ++typedef signed char fiat_secp384r1_int1; ++typedef signed __int128 fiat_secp384r1_int128; ++typedef unsigned __int128 fiat_secp384r1_uint128; ++ ++#if (-1 & 3) != 3 ++#error "This code only works on a two's complement system" ++#endif ++ ++/* ++ * The function fiat_secp384r1_addcarryx_u64 is an addition with carry. ++ * Postconditions: ++ * out1 = (arg1 + arg2 + arg3) mod 2^64 ++ * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * arg3: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_addcarryx_u64(uint64_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint64_t arg2, uint64_t arg3) ++{ ++ fiat_secp384r1_uint128 x1; ++ uint64_t x2; ++ fiat_secp384r1_uint1 x3; ++ x1 = ((arg1 + (fiat_secp384r1_uint128)arg2) + arg3); ++ x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); ++ x3 = (fiat_secp384r1_uint1)(x1 >> 64); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_subborrowx_u64 is a subtraction with borrow. ++ * Postconditions: ++ * out1 = (-arg1 + arg2 + -arg3) mod 2^64 ++ * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * arg3: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_subborrowx_u64(uint64_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint64_t arg2, uint64_t arg3) ++{ ++ fiat_secp384r1_int128 x1; ++ fiat_secp384r1_int1 x2; ++ uint64_t x3; ++ x1 = ((arg2 - (fiat_secp384r1_int128)arg1) - arg3); ++ x2 = (fiat_secp384r1_int1)(x1 >> 64); ++ x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); ++ *out1 = x3; ++ *out2 = (fiat_secp384r1_uint1)(0x0 - x2); ++} ++ ++/* ++ * The function fiat_secp384r1_mulx_u64 is a multiplication, returning the full double-width result. ++ * Postconditions: ++ * out1 = (arg1 * arg2) mod 2^64 ++ * out2 = ⌊arg1 * arg2 / 2^64⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0xffffffffffffffff] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ * out2: [0x0 ~> 0xffffffffffffffff] ++ */ ++static void ++fiat_secp384r1_mulx_u64(uint64_t *out1, uint64_t *out2, ++ uint64_t arg1, uint64_t arg2) ++{ ++ fiat_secp384r1_uint128 x1; ++ uint64_t x2; ++ uint64_t x3; ++ x1 = ((fiat_secp384r1_uint128)arg1 * arg2); ++ x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); ++ x3 = (uint64_t)(x1 >> 64); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_cmovznz_u64 is a single-word conditional move. ++ * Postconditions: ++ * out1 = (if arg1 = 0 then arg2 else arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * arg3: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ */ ++static void ++fiat_secp384r1_cmovznz_u64(uint64_t *out1, ++ fiat_secp384r1_uint1 arg1, uint64_t arg2, ++ uint64_t arg3) ++{ ++ fiat_secp384r1_uint1 x1; ++ uint64_t x2; ++ uint64_t x3; ++ x1 = (!(!arg1)); ++ x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); ++ x3 = ((x2 & arg3) | ((~x2) & arg2)); ++ *out1 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_mul(uint64_t out1[6], const uint64_t arg1[6], ++ const uint64_t arg2[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint64_t x16; ++ uint64_t x17; ++ uint64_t x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint64_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint64_t x27; ++ fiat_secp384r1_uint1 x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ uint64_t x38; ++ uint64_t x39; ++ uint64_t x40; ++ uint64_t x41; ++ uint64_t x42; ++ uint64_t x43; ++ uint64_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint64_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint64_t x48; ++ fiat_secp384r1_uint1 x49; ++ uint64_t x50; ++ fiat_secp384r1_uint1 x51; ++ uint64_t x52; ++ fiat_secp384r1_uint1 x53; ++ uint64_t x54; ++ uint64_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint64_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint64_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint64_t x61; ++ fiat_secp384r1_uint1 x62; ++ uint64_t x63; ++ fiat_secp384r1_uint1 x64; ++ uint64_t x65; ++ fiat_secp384r1_uint1 x66; ++ uint64_t x67; ++ fiat_secp384r1_uint1 x68; ++ uint64_t x69; ++ uint64_t x70; ++ uint64_t x71; ++ uint64_t x72; ++ uint64_t x73; ++ uint64_t x74; ++ uint64_t x75; ++ uint64_t x76; ++ uint64_t x77; ++ uint64_t x78; ++ uint64_t x79; ++ uint64_t x80; ++ uint64_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint64_t x83; ++ fiat_secp384r1_uint1 x84; ++ uint64_t x85; ++ fiat_secp384r1_uint1 x86; ++ uint64_t x87; ++ fiat_secp384r1_uint1 x88; ++ uint64_t x89; ++ fiat_secp384r1_uint1 x90; ++ uint64_t x91; ++ uint64_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint64_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint64_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint64_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint64_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint64_t x102; ++ fiat_secp384r1_uint1 x103; ++ uint64_t x104; ++ fiat_secp384r1_uint1 x105; ++ uint64_t x106; ++ uint64_t x107; ++ uint64_t x108; ++ uint64_t x109; ++ uint64_t x110; ++ uint64_t x111; ++ uint64_t x112; ++ uint64_t x113; ++ uint64_t x114; ++ uint64_t x115; ++ uint64_t x116; ++ uint64_t x117; ++ uint64_t x118; ++ uint64_t x119; ++ uint64_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint64_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint64_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint64_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint64_t x128; ++ fiat_secp384r1_uint1 x129; ++ uint64_t x130; ++ uint64_t x131; ++ fiat_secp384r1_uint1 x132; ++ uint64_t x133; ++ fiat_secp384r1_uint1 x134; ++ uint64_t x135; ++ fiat_secp384r1_uint1 x136; ++ uint64_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint64_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint64_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint64_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint64_t x145; ++ uint64_t x146; ++ uint64_t x147; ++ uint64_t x148; ++ uint64_t x149; ++ uint64_t x150; ++ uint64_t x151; ++ uint64_t x152; ++ uint64_t x153; ++ uint64_t x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ fiat_secp384r1_uint1 x159; ++ uint64_t x160; ++ fiat_secp384r1_uint1 x161; ++ uint64_t x162; ++ fiat_secp384r1_uint1 x163; ++ uint64_t x164; ++ fiat_secp384r1_uint1 x165; ++ uint64_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint64_t x168; ++ uint64_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint64_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint64_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint64_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint64_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint64_t x179; ++ fiat_secp384r1_uint1 x180; ++ uint64_t x181; ++ fiat_secp384r1_uint1 x182; ++ uint64_t x183; ++ uint64_t x184; ++ uint64_t x185; ++ uint64_t x186; ++ uint64_t x187; ++ uint64_t x188; ++ uint64_t x189; ++ uint64_t x190; ++ uint64_t x191; ++ uint64_t x192; ++ uint64_t x193; ++ uint64_t x194; ++ uint64_t x195; ++ uint64_t x196; ++ uint64_t x197; ++ fiat_secp384r1_uint1 x198; ++ uint64_t x199; ++ fiat_secp384r1_uint1 x200; ++ uint64_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint64_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint64_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint64_t x207; ++ uint64_t x208; ++ fiat_secp384r1_uint1 x209; ++ uint64_t x210; ++ fiat_secp384r1_uint1 x211; ++ uint64_t x212; ++ fiat_secp384r1_uint1 x213; ++ uint64_t x214; ++ fiat_secp384r1_uint1 x215; ++ uint64_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint64_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint64_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint64_t x222; ++ uint64_t x223; ++ uint64_t x224; ++ uint64_t x225; ++ uint64_t x226; ++ uint64_t x227; ++ uint64_t x228; ++ uint64_t x229; ++ uint64_t x230; ++ uint64_t x231; ++ uint64_t x232; ++ uint64_t x233; ++ uint64_t x234; ++ uint64_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint64_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint64_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint64_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint64_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint64_t x245; ++ uint64_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint64_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint64_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint64_t x252; ++ fiat_secp384r1_uint1 x253; ++ uint64_t x254; ++ fiat_secp384r1_uint1 x255; ++ uint64_t x256; ++ fiat_secp384r1_uint1 x257; ++ uint64_t x258; ++ fiat_secp384r1_uint1 x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ uint64_t x267; ++ uint64_t x268; ++ uint64_t x269; ++ uint64_t x270; ++ uint64_t x271; ++ uint64_t x272; ++ uint64_t x273; ++ uint64_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint64_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint64_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint64_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint64_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint64_t x284; ++ uint64_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint64_t x287; ++ fiat_secp384r1_uint1 x288; ++ uint64_t x289; ++ fiat_secp384r1_uint1 x290; ++ uint64_t x291; ++ fiat_secp384r1_uint1 x292; ++ uint64_t x293; ++ fiat_secp384r1_uint1 x294; ++ uint64_t x295; ++ fiat_secp384r1_uint1 x296; ++ uint64_t x297; ++ fiat_secp384r1_uint1 x298; ++ uint64_t x299; ++ uint64_t x300; ++ uint64_t x301; ++ uint64_t x302; ++ uint64_t x303; ++ uint64_t x304; ++ uint64_t x305; ++ uint64_t x306; ++ uint64_t x307; ++ uint64_t x308; ++ uint64_t x309; ++ uint64_t x310; ++ uint64_t x311; ++ uint64_t x312; ++ fiat_secp384r1_uint1 x313; ++ uint64_t x314; ++ fiat_secp384r1_uint1 x315; ++ uint64_t x316; ++ fiat_secp384r1_uint1 x317; ++ uint64_t x318; ++ fiat_secp384r1_uint1 x319; ++ uint64_t x320; ++ fiat_secp384r1_uint1 x321; ++ uint64_t x322; ++ uint64_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint64_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint64_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint64_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint64_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint64_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint64_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint64_t x337; ++ uint64_t x338; ++ uint64_t x339; ++ uint64_t x340; ++ uint64_t x341; ++ uint64_t x342; ++ uint64_t x343; ++ uint64_t x344; ++ uint64_t x345; ++ uint64_t x346; ++ uint64_t x347; ++ uint64_t x348; ++ uint64_t x349; ++ uint64_t x350; ++ uint64_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint64_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint64_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint64_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint64_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint64_t x361; ++ uint64_t x362; ++ fiat_secp384r1_uint1 x363; ++ uint64_t x364; ++ fiat_secp384r1_uint1 x365; ++ uint64_t x366; ++ fiat_secp384r1_uint1 x367; ++ uint64_t x368; ++ fiat_secp384r1_uint1 x369; ++ uint64_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint64_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint64_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint64_t x376; ++ uint64_t x377; ++ uint64_t x378; ++ uint64_t x379; ++ uint64_t x380; ++ uint64_t x381; ++ uint64_t x382; ++ uint64_t x383; ++ uint64_t x384; ++ uint64_t x385; ++ uint64_t x386; ++ uint64_t x387; ++ uint64_t x388; ++ uint64_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint64_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint64_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint64_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint64_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint64_t x399; ++ uint64_t x400; ++ fiat_secp384r1_uint1 x401; ++ uint64_t x402; ++ fiat_secp384r1_uint1 x403; ++ uint64_t x404; ++ fiat_secp384r1_uint1 x405; ++ uint64_t x406; ++ fiat_secp384r1_uint1 x407; ++ uint64_t x408; ++ fiat_secp384r1_uint1 x409; ++ uint64_t x410; ++ fiat_secp384r1_uint1 x411; ++ uint64_t x412; ++ fiat_secp384r1_uint1 x413; ++ uint64_t x414; ++ uint64_t x415; ++ uint64_t x416; ++ uint64_t x417; ++ uint64_t x418; ++ uint64_t x419; ++ uint64_t x420; ++ uint64_t x421; ++ uint64_t x422; ++ uint64_t x423; ++ uint64_t x424; ++ uint64_t x425; ++ uint64_t x426; ++ uint64_t x427; ++ uint64_t x428; ++ fiat_secp384r1_uint1 x429; ++ uint64_t x430; ++ fiat_secp384r1_uint1 x431; ++ uint64_t x432; ++ fiat_secp384r1_uint1 x433; ++ uint64_t x434; ++ fiat_secp384r1_uint1 x435; ++ uint64_t x436; ++ fiat_secp384r1_uint1 x437; ++ uint64_t x438; ++ uint64_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint64_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint64_t x443; ++ fiat_secp384r1_uint1 x444; ++ uint64_t x445; ++ fiat_secp384r1_uint1 x446; ++ uint64_t x447; ++ fiat_secp384r1_uint1 x448; ++ uint64_t x449; ++ fiat_secp384r1_uint1 x450; ++ uint64_t x451; ++ fiat_secp384r1_uint1 x452; ++ uint64_t x453; ++ uint64_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint64_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint64_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint64_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint64_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint64_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint64_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint64_t x468; ++ uint64_t x469; ++ uint64_t x470; ++ uint64_t x471; ++ uint64_t x472; ++ uint64_t x473; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); ++ fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); ++ fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); ++ fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); ++ fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); ++ x29 = (x28 + x8); ++ fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); ++ fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); ++ fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); ++ fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); ++ fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); ++ x54 = (x53 + x33); ++ fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); ++ fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); ++ fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); ++ fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); ++ fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); ++ fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); ++ fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); ++ fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); ++ fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); ++ fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); ++ fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); ++ fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); ++ x91 = (x90 + x70); ++ fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); ++ fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); ++ fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); ++ fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); ++ fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); ++ fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); ++ fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); ++ fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); ++ fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); ++ fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); ++ fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); ++ fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); ++ x130 = (x129 + x109); ++ fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); ++ fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); ++ fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); ++ fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); ++ fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); ++ fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); ++ fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); ++ x145 = ((uint64_t)x144 + x105); ++ fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); ++ fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); ++ fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); ++ fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); ++ fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); ++ x168 = (x167 + x147); ++ fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); ++ fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); ++ fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); ++ fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); ++ fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); ++ fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); ++ fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); ++ fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); ++ fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); ++ fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); ++ fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); ++ fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); ++ x207 = (x206 + x186); ++ fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); ++ fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); ++ fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); ++ fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); ++ fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); ++ fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); ++ fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); ++ x222 = ((uint64_t)x221 + x182); ++ fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); ++ fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); ++ fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); ++ fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); ++ fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); ++ x245 = (x244 + x224); ++ fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); ++ fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); ++ fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); ++ fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); ++ fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); ++ fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); ++ fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); ++ fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); ++ fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); ++ fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); ++ fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); ++ fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); ++ x284 = (x283 + x263); ++ fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); ++ fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); ++ fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); ++ fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); ++ fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); ++ fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); ++ fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); ++ x299 = ((uint64_t)x298 + x259); ++ fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); ++ fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); ++ fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); ++ fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); ++ fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); ++ x322 = (x321 + x301); ++ fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); ++ fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); ++ fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); ++ fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); ++ fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); ++ fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); ++ fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); ++ fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); ++ fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); ++ fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); ++ fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); ++ x361 = (x360 + x340); ++ fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); ++ fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); ++ fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); ++ fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); ++ fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); ++ fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); ++ fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); ++ x376 = ((uint64_t)x375 + x336); ++ fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); ++ fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); ++ fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); ++ fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); ++ fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); ++ x399 = (x398 + x378); ++ fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); ++ fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); ++ fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); ++ fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); ++ fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); ++ fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); ++ fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); ++ fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); ++ fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); ++ fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); ++ fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); ++ fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); ++ x438 = (x437 + x417); ++ fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); ++ fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); ++ fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); ++ fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); ++ fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); ++ fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); ++ fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); ++ x453 = ((uint64_t)x452 + x413); ++ fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); ++ fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); ++ fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); ++ fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); ++ fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); ++ fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); ++ out1[0] = x468; ++ out1[1] = x469; ++ out1[2] = x470; ++ out1[3] = x471; ++ out1[4] = x472; ++ out1[5] = x473; ++} ++ ++/* ++ * The function fiat_secp384r1_square squares a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_square(uint64_t out1[6], const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint64_t x16; ++ uint64_t x17; ++ uint64_t x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint64_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint64_t x27; ++ fiat_secp384r1_uint1 x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ uint64_t x38; ++ uint64_t x39; ++ uint64_t x40; ++ uint64_t x41; ++ uint64_t x42; ++ uint64_t x43; ++ uint64_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint64_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint64_t x48; ++ fiat_secp384r1_uint1 x49; ++ uint64_t x50; ++ fiat_secp384r1_uint1 x51; ++ uint64_t x52; ++ fiat_secp384r1_uint1 x53; ++ uint64_t x54; ++ uint64_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint64_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint64_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint64_t x61; ++ fiat_secp384r1_uint1 x62; ++ uint64_t x63; ++ fiat_secp384r1_uint1 x64; ++ uint64_t x65; ++ fiat_secp384r1_uint1 x66; ++ uint64_t x67; ++ fiat_secp384r1_uint1 x68; ++ uint64_t x69; ++ uint64_t x70; ++ uint64_t x71; ++ uint64_t x72; ++ uint64_t x73; ++ uint64_t x74; ++ uint64_t x75; ++ uint64_t x76; ++ uint64_t x77; ++ uint64_t x78; ++ uint64_t x79; ++ uint64_t x80; ++ uint64_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint64_t x83; ++ fiat_secp384r1_uint1 x84; ++ uint64_t x85; ++ fiat_secp384r1_uint1 x86; ++ uint64_t x87; ++ fiat_secp384r1_uint1 x88; ++ uint64_t x89; ++ fiat_secp384r1_uint1 x90; ++ uint64_t x91; ++ uint64_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint64_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint64_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint64_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint64_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint64_t x102; ++ fiat_secp384r1_uint1 x103; ++ uint64_t x104; ++ fiat_secp384r1_uint1 x105; ++ uint64_t x106; ++ uint64_t x107; ++ uint64_t x108; ++ uint64_t x109; ++ uint64_t x110; ++ uint64_t x111; ++ uint64_t x112; ++ uint64_t x113; ++ uint64_t x114; ++ uint64_t x115; ++ uint64_t x116; ++ uint64_t x117; ++ uint64_t x118; ++ uint64_t x119; ++ uint64_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint64_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint64_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint64_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint64_t x128; ++ fiat_secp384r1_uint1 x129; ++ uint64_t x130; ++ uint64_t x131; ++ fiat_secp384r1_uint1 x132; ++ uint64_t x133; ++ fiat_secp384r1_uint1 x134; ++ uint64_t x135; ++ fiat_secp384r1_uint1 x136; ++ uint64_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint64_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint64_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint64_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint64_t x145; ++ uint64_t x146; ++ uint64_t x147; ++ uint64_t x148; ++ uint64_t x149; ++ uint64_t x150; ++ uint64_t x151; ++ uint64_t x152; ++ uint64_t x153; ++ uint64_t x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ fiat_secp384r1_uint1 x159; ++ uint64_t x160; ++ fiat_secp384r1_uint1 x161; ++ uint64_t x162; ++ fiat_secp384r1_uint1 x163; ++ uint64_t x164; ++ fiat_secp384r1_uint1 x165; ++ uint64_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint64_t x168; ++ uint64_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint64_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint64_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint64_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint64_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint64_t x179; ++ fiat_secp384r1_uint1 x180; ++ uint64_t x181; ++ fiat_secp384r1_uint1 x182; ++ uint64_t x183; ++ uint64_t x184; ++ uint64_t x185; ++ uint64_t x186; ++ uint64_t x187; ++ uint64_t x188; ++ uint64_t x189; ++ uint64_t x190; ++ uint64_t x191; ++ uint64_t x192; ++ uint64_t x193; ++ uint64_t x194; ++ uint64_t x195; ++ uint64_t x196; ++ uint64_t x197; ++ fiat_secp384r1_uint1 x198; ++ uint64_t x199; ++ fiat_secp384r1_uint1 x200; ++ uint64_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint64_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint64_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint64_t x207; ++ uint64_t x208; ++ fiat_secp384r1_uint1 x209; ++ uint64_t x210; ++ fiat_secp384r1_uint1 x211; ++ uint64_t x212; ++ fiat_secp384r1_uint1 x213; ++ uint64_t x214; ++ fiat_secp384r1_uint1 x215; ++ uint64_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint64_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint64_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint64_t x222; ++ uint64_t x223; ++ uint64_t x224; ++ uint64_t x225; ++ uint64_t x226; ++ uint64_t x227; ++ uint64_t x228; ++ uint64_t x229; ++ uint64_t x230; ++ uint64_t x231; ++ uint64_t x232; ++ uint64_t x233; ++ uint64_t x234; ++ uint64_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint64_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint64_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint64_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint64_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint64_t x245; ++ uint64_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint64_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint64_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint64_t x252; ++ fiat_secp384r1_uint1 x253; ++ uint64_t x254; ++ fiat_secp384r1_uint1 x255; ++ uint64_t x256; ++ fiat_secp384r1_uint1 x257; ++ uint64_t x258; ++ fiat_secp384r1_uint1 x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ uint64_t x267; ++ uint64_t x268; ++ uint64_t x269; ++ uint64_t x270; ++ uint64_t x271; ++ uint64_t x272; ++ uint64_t x273; ++ uint64_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint64_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint64_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint64_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint64_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint64_t x284; ++ uint64_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint64_t x287; ++ fiat_secp384r1_uint1 x288; ++ uint64_t x289; ++ fiat_secp384r1_uint1 x290; ++ uint64_t x291; ++ fiat_secp384r1_uint1 x292; ++ uint64_t x293; ++ fiat_secp384r1_uint1 x294; ++ uint64_t x295; ++ fiat_secp384r1_uint1 x296; ++ uint64_t x297; ++ fiat_secp384r1_uint1 x298; ++ uint64_t x299; ++ uint64_t x300; ++ uint64_t x301; ++ uint64_t x302; ++ uint64_t x303; ++ uint64_t x304; ++ uint64_t x305; ++ uint64_t x306; ++ uint64_t x307; ++ uint64_t x308; ++ uint64_t x309; ++ uint64_t x310; ++ uint64_t x311; ++ uint64_t x312; ++ fiat_secp384r1_uint1 x313; ++ uint64_t x314; ++ fiat_secp384r1_uint1 x315; ++ uint64_t x316; ++ fiat_secp384r1_uint1 x317; ++ uint64_t x318; ++ fiat_secp384r1_uint1 x319; ++ uint64_t x320; ++ fiat_secp384r1_uint1 x321; ++ uint64_t x322; ++ uint64_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint64_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint64_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint64_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint64_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint64_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint64_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint64_t x337; ++ uint64_t x338; ++ uint64_t x339; ++ uint64_t x340; ++ uint64_t x341; ++ uint64_t x342; ++ uint64_t x343; ++ uint64_t x344; ++ uint64_t x345; ++ uint64_t x346; ++ uint64_t x347; ++ uint64_t x348; ++ uint64_t x349; ++ uint64_t x350; ++ uint64_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint64_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint64_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint64_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint64_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint64_t x361; ++ uint64_t x362; ++ fiat_secp384r1_uint1 x363; ++ uint64_t x364; ++ fiat_secp384r1_uint1 x365; ++ uint64_t x366; ++ fiat_secp384r1_uint1 x367; ++ uint64_t x368; ++ fiat_secp384r1_uint1 x369; ++ uint64_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint64_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint64_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint64_t x376; ++ uint64_t x377; ++ uint64_t x378; ++ uint64_t x379; ++ uint64_t x380; ++ uint64_t x381; ++ uint64_t x382; ++ uint64_t x383; ++ uint64_t x384; ++ uint64_t x385; ++ uint64_t x386; ++ uint64_t x387; ++ uint64_t x388; ++ uint64_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint64_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint64_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint64_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint64_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint64_t x399; ++ uint64_t x400; ++ fiat_secp384r1_uint1 x401; ++ uint64_t x402; ++ fiat_secp384r1_uint1 x403; ++ uint64_t x404; ++ fiat_secp384r1_uint1 x405; ++ uint64_t x406; ++ fiat_secp384r1_uint1 x407; ++ uint64_t x408; ++ fiat_secp384r1_uint1 x409; ++ uint64_t x410; ++ fiat_secp384r1_uint1 x411; ++ uint64_t x412; ++ fiat_secp384r1_uint1 x413; ++ uint64_t x414; ++ uint64_t x415; ++ uint64_t x416; ++ uint64_t x417; ++ uint64_t x418; ++ uint64_t x419; ++ uint64_t x420; ++ uint64_t x421; ++ uint64_t x422; ++ uint64_t x423; ++ uint64_t x424; ++ uint64_t x425; ++ uint64_t x426; ++ uint64_t x427; ++ uint64_t x428; ++ fiat_secp384r1_uint1 x429; ++ uint64_t x430; ++ fiat_secp384r1_uint1 x431; ++ uint64_t x432; ++ fiat_secp384r1_uint1 x433; ++ uint64_t x434; ++ fiat_secp384r1_uint1 x435; ++ uint64_t x436; ++ fiat_secp384r1_uint1 x437; ++ uint64_t x438; ++ uint64_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint64_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint64_t x443; ++ fiat_secp384r1_uint1 x444; ++ uint64_t x445; ++ fiat_secp384r1_uint1 x446; ++ uint64_t x447; ++ fiat_secp384r1_uint1 x448; ++ uint64_t x449; ++ fiat_secp384r1_uint1 x450; ++ uint64_t x451; ++ fiat_secp384r1_uint1 x452; ++ uint64_t x453; ++ uint64_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint64_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint64_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint64_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint64_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint64_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint64_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint64_t x468; ++ uint64_t x469; ++ uint64_t x470; ++ uint64_t x471; ++ uint64_t x472; ++ uint64_t x473; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); ++ fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); ++ fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); ++ fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); ++ fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); ++ x29 = (x28 + x8); ++ fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); ++ fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); ++ fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); ++ fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); ++ fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); ++ x54 = (x53 + x33); ++ fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); ++ fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); ++ fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); ++ fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); ++ fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); ++ fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); ++ fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); ++ fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); ++ fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); ++ fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); ++ fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); ++ fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); ++ x91 = (x90 + x70); ++ fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); ++ fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); ++ fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); ++ fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); ++ fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); ++ fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); ++ fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); ++ fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); ++ fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); ++ fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); ++ fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); ++ fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); ++ x130 = (x129 + x109); ++ fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); ++ fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); ++ fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); ++ fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); ++ fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); ++ fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); ++ fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); ++ x145 = ((uint64_t)x144 + x105); ++ fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); ++ fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); ++ fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); ++ fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); ++ fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); ++ x168 = (x167 + x147); ++ fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); ++ fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); ++ fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); ++ fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); ++ fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); ++ fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); ++ fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); ++ fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); ++ fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); ++ fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); ++ fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); ++ fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); ++ x207 = (x206 + x186); ++ fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); ++ fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); ++ fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); ++ fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); ++ fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); ++ fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); ++ fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); ++ x222 = ((uint64_t)x221 + x182); ++ fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); ++ fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); ++ fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); ++ fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); ++ fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); ++ x245 = (x244 + x224); ++ fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); ++ fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); ++ fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); ++ fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); ++ fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); ++ fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); ++ fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); ++ fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); ++ fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); ++ fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); ++ fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); ++ fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); ++ x284 = (x283 + x263); ++ fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); ++ fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); ++ fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); ++ fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); ++ fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); ++ fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); ++ fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); ++ x299 = ((uint64_t)x298 + x259); ++ fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); ++ fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); ++ fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); ++ fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); ++ fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); ++ x322 = (x321 + x301); ++ fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); ++ fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); ++ fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); ++ fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); ++ fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); ++ fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); ++ fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); ++ fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); ++ fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); ++ fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); ++ fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); ++ x361 = (x360 + x340); ++ fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); ++ fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); ++ fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); ++ fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); ++ fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); ++ fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); ++ fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); ++ x376 = ((uint64_t)x375 + x336); ++ fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); ++ fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); ++ fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); ++ fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); ++ fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); ++ x399 = (x398 + x378); ++ fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); ++ fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); ++ fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); ++ fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); ++ fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); ++ fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); ++ fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); ++ fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); ++ fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); ++ fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); ++ fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); ++ fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); ++ x438 = (x437 + x417); ++ fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); ++ fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); ++ fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); ++ fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); ++ fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); ++ fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); ++ fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); ++ x453 = ((uint64_t)x452 + x413); ++ fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); ++ fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); ++ fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); ++ fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); ++ fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); ++ fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); ++ out1[0] = x468; ++ out1[1] = x469; ++ out1[2] = x470; ++ out1[3] = x471; ++ out1[4] = x472; ++ out1[5] = x473; ++} ++ ++/* ++ * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_add(uint64_t out1[6], const uint64_t arg1[6], ++ const uint64_t arg2[6]) ++{ ++ uint64_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint64_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint64_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint64_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint64_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint64_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint64_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint64_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint64_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint64_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint64_t x27; ++ uint64_t x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ fiat_secp384r1_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_addcarryx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_addcarryx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_subborrowx_u64(&x13, &x14, 0x0, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x15, &x16, x14, x3, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x17, &x18, x16, x5, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x19, &x20, x18, x7, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x21, &x22, x20, x9, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x23, &x24, x22, x11, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x25, &x26, x24, x12, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x27, x26, x13, x1); ++ fiat_secp384r1_cmovznz_u64(&x28, x26, x15, x3); ++ fiat_secp384r1_cmovznz_u64(&x29, x26, x17, x5); ++ fiat_secp384r1_cmovznz_u64(&x30, x26, x19, x7); ++ fiat_secp384r1_cmovznz_u64(&x31, x26, x21, x9); ++ fiat_secp384r1_cmovznz_u64(&x32, x26, x23, x11); ++ out1[0] = x27; ++ out1[1] = x28; ++ out1[2] = x29; ++ out1[3] = x30; ++ out1[4] = x31; ++ out1[5] = x32; ++} ++ ++/* ++ * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_sub(uint64_t out1[6], const uint64_t arg1[6], ++ const uint64_t arg2[6]) ++{ ++ uint64_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint64_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint64_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint64_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint64_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint64_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint64_t x13; ++ uint64_t x14; ++ fiat_secp384r1_uint1 x15; ++ uint64_t x16; ++ fiat_secp384r1_uint1 x17; ++ uint64_t x18; ++ fiat_secp384r1_uint1 x19; ++ uint64_t x20; ++ fiat_secp384r1_uint1 x21; ++ uint64_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint64_t x24; ++ fiat_secp384r1_uint1 x25; ++ fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, ++ (x13 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, ++ (x13 & UINT64_C(0xffffffff00000000))); ++ fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, ++ (x13 & UINT64_C(0xfffffffffffffffe))); ++ fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ out1[0] = x14; ++ out1[1] = x16; ++ out1[2] = x18; ++ out1[3] = x20; ++ out1[4] = x22; ++ out1[5] = x24; ++} ++ ++/* ++ * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_opp(uint64_t out1[6], const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint64_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint64_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint64_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint64_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint64_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint64_t x13; ++ uint64_t x14; ++ fiat_secp384r1_uint1 x15; ++ uint64_t x16; ++ fiat_secp384r1_uint1 x17; ++ uint64_t x18; ++ fiat_secp384r1_uint1 x19; ++ uint64_t x20; ++ fiat_secp384r1_uint1 x21; ++ uint64_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint64_t x24; ++ fiat_secp384r1_uint1 x25; ++ fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); ++ fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); ++ fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); ++ fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); ++ fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, 0x0, (arg1[4])); ++ fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, 0x0, (arg1[5])); ++ fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, ++ (x13 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, ++ (x13 & UINT64_C(0xffffffff00000000))); ++ fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, ++ (x13 & UINT64_C(0xfffffffffffffffe))); ++ fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ out1[0] = x14; ++ out1[1] = x16; ++ out1[2] = x18; ++ out1[3] = x20; ++ out1[4] = x22; ++ out1[5] = x24; ++} ++ ++/* ++ * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = (eval arg1 * ((2^64)â»Â¹ mod m)^6) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_from_montgomery(uint64_t out1[6], ++ const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint64_t x16; ++ fiat_secp384r1_uint1 x17; ++ uint64_t x18; ++ fiat_secp384r1_uint1 x19; ++ uint64_t x20; ++ fiat_secp384r1_uint1 x21; ++ uint64_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint64_t x24; ++ fiat_secp384r1_uint1 x25; ++ uint64_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint64_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint64_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint64_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint64_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint64_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint64_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint64_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint64_t x42; ++ fiat_secp384r1_uint1 x43; ++ uint64_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint64_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint64_t x48; ++ fiat_secp384r1_uint1 x49; ++ uint64_t x50; ++ fiat_secp384r1_uint1 x51; ++ uint64_t x52; ++ uint64_t x53; ++ uint64_t x54; ++ uint64_t x55; ++ uint64_t x56; ++ uint64_t x57; ++ uint64_t x58; ++ uint64_t x59; ++ uint64_t x60; ++ uint64_t x61; ++ uint64_t x62; ++ uint64_t x63; ++ uint64_t x64; ++ uint64_t x65; ++ uint64_t x66; ++ fiat_secp384r1_uint1 x67; ++ uint64_t x68; ++ fiat_secp384r1_uint1 x69; ++ uint64_t x70; ++ fiat_secp384r1_uint1 x71; ++ uint64_t x72; ++ fiat_secp384r1_uint1 x73; ++ uint64_t x74; ++ fiat_secp384r1_uint1 x75; ++ uint64_t x76; ++ fiat_secp384r1_uint1 x77; ++ uint64_t x78; ++ fiat_secp384r1_uint1 x79; ++ uint64_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint64_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint64_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint64_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint64_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint64_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint64_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint64_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint64_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint64_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint64_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint64_t x102; ++ uint64_t x103; ++ uint64_t x104; ++ uint64_t x105; ++ uint64_t x106; ++ uint64_t x107; ++ uint64_t x108; ++ uint64_t x109; ++ uint64_t x110; ++ uint64_t x111; ++ uint64_t x112; ++ uint64_t x113; ++ uint64_t x114; ++ uint64_t x115; ++ uint64_t x116; ++ fiat_secp384r1_uint1 x117; ++ uint64_t x118; ++ fiat_secp384r1_uint1 x119; ++ uint64_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint64_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint64_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint64_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint64_t x128; ++ fiat_secp384r1_uint1 x129; ++ uint64_t x130; ++ fiat_secp384r1_uint1 x131; ++ uint64_t x132; ++ fiat_secp384r1_uint1 x133; ++ uint64_t x134; ++ fiat_secp384r1_uint1 x135; ++ uint64_t x136; ++ fiat_secp384r1_uint1 x137; ++ uint64_t x138; ++ fiat_secp384r1_uint1 x139; ++ uint64_t x140; ++ fiat_secp384r1_uint1 x141; ++ uint64_t x142; ++ fiat_secp384r1_uint1 x143; ++ uint64_t x144; ++ fiat_secp384r1_uint1 x145; ++ uint64_t x146; ++ fiat_secp384r1_uint1 x147; ++ uint64_t x148; ++ fiat_secp384r1_uint1 x149; ++ uint64_t x150; ++ fiat_secp384r1_uint1 x151; ++ uint64_t x152; ++ uint64_t x153; ++ uint64_t x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ uint64_t x159; ++ uint64_t x160; ++ uint64_t x161; ++ uint64_t x162; ++ uint64_t x163; ++ uint64_t x164; ++ uint64_t x165; ++ uint64_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint64_t x168; ++ fiat_secp384r1_uint1 x169; ++ uint64_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint64_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint64_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint64_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint64_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint64_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint64_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint64_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint64_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint64_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint64_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint64_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint64_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint64_t x196; ++ fiat_secp384r1_uint1 x197; ++ uint64_t x198; ++ fiat_secp384r1_uint1 x199; ++ uint64_t x200; ++ fiat_secp384r1_uint1 x201; ++ uint64_t x202; ++ uint64_t x203; ++ uint64_t x204; ++ uint64_t x205; ++ uint64_t x206; ++ uint64_t x207; ++ uint64_t x208; ++ uint64_t x209; ++ uint64_t x210; ++ uint64_t x211; ++ uint64_t x212; ++ uint64_t x213; ++ uint64_t x214; ++ uint64_t x215; ++ uint64_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint64_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint64_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint64_t x222; ++ fiat_secp384r1_uint1 x223; ++ uint64_t x224; ++ fiat_secp384r1_uint1 x225; ++ uint64_t x226; ++ fiat_secp384r1_uint1 x227; ++ uint64_t x228; ++ fiat_secp384r1_uint1 x229; ++ uint64_t x230; ++ fiat_secp384r1_uint1 x231; ++ uint64_t x232; ++ fiat_secp384r1_uint1 x233; ++ uint64_t x234; ++ fiat_secp384r1_uint1 x235; ++ uint64_t x236; ++ fiat_secp384r1_uint1 x237; ++ uint64_t x238; ++ fiat_secp384r1_uint1 x239; ++ uint64_t x240; ++ fiat_secp384r1_uint1 x241; ++ uint64_t x242; ++ fiat_secp384r1_uint1 x243; ++ uint64_t x244; ++ fiat_secp384r1_uint1 x245; ++ uint64_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint64_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint64_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint64_t x252; ++ uint64_t x253; ++ uint64_t x254; ++ uint64_t x255; ++ uint64_t x256; ++ uint64_t x257; ++ uint64_t x258; ++ uint64_t x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ fiat_secp384r1_uint1 x267; ++ uint64_t x268; ++ fiat_secp384r1_uint1 x269; ++ uint64_t x270; ++ fiat_secp384r1_uint1 x271; ++ uint64_t x272; ++ fiat_secp384r1_uint1 x273; ++ uint64_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint64_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint64_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint64_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint64_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint64_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint64_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint64_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint64_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint64_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint64_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint64_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint64_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint64_t x300; ++ fiat_secp384r1_uint1 x301; ++ uint64_t x302; ++ fiat_secp384r1_uint1 x303; ++ uint64_t x304; ++ uint64_t x305; ++ uint64_t x306; ++ uint64_t x307; ++ uint64_t x308; ++ uint64_t x309; ++ x1 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x2, &x3, x1, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x4, &x5, x2, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x6, &x7, x2, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x8, &x9, x2, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x10, &x11, x2, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x12, &x13, x2, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x14, &x15, x2, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x16, &x17, 0x0, x15, x12); ++ fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x13, x10); ++ fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x11, x8); ++ fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x6); ++ fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x7, x4); ++ fiat_secp384r1_addcarryx_u64(&x26, &x27, 0x0, x1, x14); ++ fiat_secp384r1_addcarryx_u64(&x28, &x29, x27, 0x0, x16); ++ fiat_secp384r1_addcarryx_u64(&x30, &x31, x29, 0x0, x18); ++ fiat_secp384r1_addcarryx_u64(&x32, &x33, x31, 0x0, x20); ++ fiat_secp384r1_addcarryx_u64(&x34, &x35, x33, 0x0, x22); ++ fiat_secp384r1_addcarryx_u64(&x36, &x37, x35, 0x0, x24); ++ fiat_secp384r1_addcarryx_u64(&x38, &x39, x37, 0x0, (x25 + x5)); ++ fiat_secp384r1_addcarryx_u64(&x40, &x41, 0x0, x28, (arg1[1])); ++ fiat_secp384r1_addcarryx_u64(&x42, &x43, x41, x30, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x44, &x45, x43, x32, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x34, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x36, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x38, 0x0); ++ fiat_secp384r1_mulx_u64(&x52, &x53, x40, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x54, &x55, x52, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x56, &x57, x52, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x58, &x59, x52, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x60, &x61, x52, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x62, &x63, x52, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x64, &x65, x52, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x66, &x67, 0x0, x65, x62); ++ fiat_secp384r1_addcarryx_u64(&x68, &x69, x67, x63, x60); ++ fiat_secp384r1_addcarryx_u64(&x70, &x71, x69, x61, x58); ++ fiat_secp384r1_addcarryx_u64(&x72, &x73, x71, x59, x56); ++ fiat_secp384r1_addcarryx_u64(&x74, &x75, x73, x57, x54); ++ fiat_secp384r1_addcarryx_u64(&x76, &x77, 0x0, x40, x64); ++ fiat_secp384r1_addcarryx_u64(&x78, &x79, x77, x42, x66); ++ fiat_secp384r1_addcarryx_u64(&x80, &x81, x79, x44, x68); ++ fiat_secp384r1_addcarryx_u64(&x82, &x83, x81, x46, x70); ++ fiat_secp384r1_addcarryx_u64(&x84, &x85, x83, x48, x72); ++ fiat_secp384r1_addcarryx_u64(&x86, &x87, x85, x50, x74); ++ fiat_secp384r1_addcarryx_u64(&x88, &x89, x87, ((uint64_t)x51 + x39), ++ (x75 + x55)); ++ fiat_secp384r1_addcarryx_u64(&x90, &x91, 0x0, x78, (arg1[2])); ++ fiat_secp384r1_addcarryx_u64(&x92, &x93, x91, x80, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x82, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x84, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x86, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x88, 0x0); ++ fiat_secp384r1_mulx_u64(&x102, &x103, x90, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x104, &x105, x102, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x106, &x107, x102, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x108, &x109, x102, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x110, &x111, x102, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x112, &x113, x102, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x114, &x115, x102, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x116, &x117, 0x0, x115, x112); ++ fiat_secp384r1_addcarryx_u64(&x118, &x119, x117, x113, x110); ++ fiat_secp384r1_addcarryx_u64(&x120, &x121, x119, x111, x108); ++ fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x109, x106); ++ fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x107, x104); ++ fiat_secp384r1_addcarryx_u64(&x126, &x127, 0x0, x90, x114); ++ fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x92, x116); ++ fiat_secp384r1_addcarryx_u64(&x130, &x131, x129, x94, x118); ++ fiat_secp384r1_addcarryx_u64(&x132, &x133, x131, x96, x120); ++ fiat_secp384r1_addcarryx_u64(&x134, &x135, x133, x98, x122); ++ fiat_secp384r1_addcarryx_u64(&x136, &x137, x135, x100, x124); ++ fiat_secp384r1_addcarryx_u64(&x138, &x139, x137, ((uint64_t)x101 + x89), ++ (x125 + x105)); ++ fiat_secp384r1_addcarryx_u64(&x140, &x141, 0x0, x128, (arg1[3])); ++ fiat_secp384r1_addcarryx_u64(&x142, &x143, x141, x130, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x144, &x145, x143, x132, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x146, &x147, x145, x134, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x148, &x149, x147, x136, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x150, &x151, x149, x138, 0x0); ++ fiat_secp384r1_mulx_u64(&x152, &x153, x140, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x154, &x155, x152, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x156, &x157, x152, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x158, &x159, x152, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x160, &x161, x152, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x162, &x163, x152, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x164, &x165, x152, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x166, &x167, 0x0, x165, x162); ++ fiat_secp384r1_addcarryx_u64(&x168, &x169, x167, x163, x160); ++ fiat_secp384r1_addcarryx_u64(&x170, &x171, x169, x161, x158); ++ fiat_secp384r1_addcarryx_u64(&x172, &x173, x171, x159, x156); ++ fiat_secp384r1_addcarryx_u64(&x174, &x175, x173, x157, x154); ++ fiat_secp384r1_addcarryx_u64(&x176, &x177, 0x0, x140, x164); ++ fiat_secp384r1_addcarryx_u64(&x178, &x179, x177, x142, x166); ++ fiat_secp384r1_addcarryx_u64(&x180, &x181, x179, x144, x168); ++ fiat_secp384r1_addcarryx_u64(&x182, &x183, x181, x146, x170); ++ fiat_secp384r1_addcarryx_u64(&x184, &x185, x183, x148, x172); ++ fiat_secp384r1_addcarryx_u64(&x186, &x187, x185, x150, x174); ++ fiat_secp384r1_addcarryx_u64(&x188, &x189, x187, ((uint64_t)x151 + x139), ++ (x175 + x155)); ++ fiat_secp384r1_addcarryx_u64(&x190, &x191, 0x0, x178, (arg1[4])); ++ fiat_secp384r1_addcarryx_u64(&x192, &x193, x191, x180, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x194, &x195, x193, x182, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x196, &x197, x195, x184, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x198, &x199, x197, x186, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x200, &x201, x199, x188, 0x0); ++ fiat_secp384r1_mulx_u64(&x202, &x203, x190, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x204, &x205, x202, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x206, &x207, x202, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x208, &x209, x202, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x210, &x211, x202, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x212, &x213, x202, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x214, &x215, x202, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x216, &x217, 0x0, x215, x212); ++ fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x213, x210); ++ fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x211, x208); ++ fiat_secp384r1_addcarryx_u64(&x222, &x223, x221, x209, x206); ++ fiat_secp384r1_addcarryx_u64(&x224, &x225, x223, x207, x204); ++ fiat_secp384r1_addcarryx_u64(&x226, &x227, 0x0, x190, x214); ++ fiat_secp384r1_addcarryx_u64(&x228, &x229, x227, x192, x216); ++ fiat_secp384r1_addcarryx_u64(&x230, &x231, x229, x194, x218); ++ fiat_secp384r1_addcarryx_u64(&x232, &x233, x231, x196, x220); ++ fiat_secp384r1_addcarryx_u64(&x234, &x235, x233, x198, x222); ++ fiat_secp384r1_addcarryx_u64(&x236, &x237, x235, x200, x224); ++ fiat_secp384r1_addcarryx_u64(&x238, &x239, x237, ((uint64_t)x201 + x189), ++ (x225 + x205)); ++ fiat_secp384r1_addcarryx_u64(&x240, &x241, 0x0, x228, (arg1[5])); ++ fiat_secp384r1_addcarryx_u64(&x242, &x243, x241, x230, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x244, &x245, x243, x232, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x246, &x247, x245, x234, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x236, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x238, 0x0); ++ fiat_secp384r1_mulx_u64(&x252, &x253, x240, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x254, &x255, x252, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x256, &x257, x252, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x258, &x259, x252, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x260, &x261, x252, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x262, &x263, x252, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x264, &x265, x252, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x266, &x267, 0x0, x265, x262); ++ fiat_secp384r1_addcarryx_u64(&x268, &x269, x267, x263, x260); ++ fiat_secp384r1_addcarryx_u64(&x270, &x271, x269, x261, x258); ++ fiat_secp384r1_addcarryx_u64(&x272, &x273, x271, x259, x256); ++ fiat_secp384r1_addcarryx_u64(&x274, &x275, x273, x257, x254); ++ fiat_secp384r1_addcarryx_u64(&x276, &x277, 0x0, x240, x264); ++ fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x242, x266); ++ fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x244, x268); ++ fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x246, x270); ++ fiat_secp384r1_addcarryx_u64(&x284, &x285, x283, x248, x272); ++ fiat_secp384r1_addcarryx_u64(&x286, &x287, x285, x250, x274); ++ fiat_secp384r1_addcarryx_u64(&x288, &x289, x287, ((uint64_t)x251 + x239), ++ (x275 + x255)); ++ fiat_secp384r1_subborrowx_u64(&x290, &x291, 0x0, x278, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x292, &x293, x291, x280, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x294, &x295, x293, x282, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x296, &x297, x295, x284, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x298, &x299, x297, x286, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x300, &x301, x299, x288, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x302, &x303, x301, x289, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x304, x303, x290, x278); ++ fiat_secp384r1_cmovznz_u64(&x305, x303, x292, x280); ++ fiat_secp384r1_cmovznz_u64(&x306, x303, x294, x282); ++ fiat_secp384r1_cmovznz_u64(&x307, x303, x296, x284); ++ fiat_secp384r1_cmovznz_u64(&x308, x303, x298, x286); ++ fiat_secp384r1_cmovznz_u64(&x309, x303, x300, x288); ++ out1[0] = x304; ++ out1[1] = x305; ++ out1[2] = x306; ++ out1[3] = x307; ++ out1[4] = x308; ++ out1[5] = x309; ++} ++ ++/* ++ * The function fiat_secp384r1_to_montgomery translates a field element into the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_to_montgomery(uint64_t out1[6], ++ const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint64_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ uint64_t x24; ++ uint64_t x25; ++ uint64_t x26; ++ uint64_t x27; ++ uint64_t x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint64_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint64_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint64_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint64_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint64_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint64_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint64_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint64_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint64_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint64_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint64_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint64_t x61; ++ uint64_t x62; ++ uint64_t x63; ++ uint64_t x64; ++ uint64_t x65; ++ uint64_t x66; ++ uint64_t x67; ++ uint64_t x68; ++ uint64_t x69; ++ fiat_secp384r1_uint1 x70; ++ uint64_t x71; ++ fiat_secp384r1_uint1 x72; ++ uint64_t x73; ++ fiat_secp384r1_uint1 x74; ++ uint64_t x75; ++ fiat_secp384r1_uint1 x76; ++ uint64_t x77; ++ fiat_secp384r1_uint1 x78; ++ uint64_t x79; ++ fiat_secp384r1_uint1 x80; ++ uint64_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint64_t x83; ++ fiat_secp384r1_uint1 x84; ++ uint64_t x85; ++ fiat_secp384r1_uint1 x86; ++ uint64_t x87; ++ fiat_secp384r1_uint1 x88; ++ uint64_t x89; ++ uint64_t x90; ++ uint64_t x91; ++ uint64_t x92; ++ uint64_t x93; ++ uint64_t x94; ++ uint64_t x95; ++ uint64_t x96; ++ uint64_t x97; ++ uint64_t x98; ++ uint64_t x99; ++ uint64_t x100; ++ uint64_t x101; ++ uint64_t x102; ++ uint64_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint64_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint64_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint64_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint64_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint64_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint64_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint64_t x117; ++ fiat_secp384r1_uint1 x118; ++ uint64_t x119; ++ fiat_secp384r1_uint1 x120; ++ uint64_t x121; ++ fiat_secp384r1_uint1 x122; ++ uint64_t x123; ++ fiat_secp384r1_uint1 x124; ++ uint64_t x125; ++ fiat_secp384r1_uint1 x126; ++ uint64_t x127; ++ uint64_t x128; ++ uint64_t x129; ++ uint64_t x130; ++ uint64_t x131; ++ uint64_t x132; ++ uint64_t x133; ++ uint64_t x134; ++ uint64_t x135; ++ fiat_secp384r1_uint1 x136; ++ uint64_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint64_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint64_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint64_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint64_t x145; ++ fiat_secp384r1_uint1 x146; ++ uint64_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint64_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint64_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint64_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ uint64_t x159; ++ uint64_t x160; ++ uint64_t x161; ++ uint64_t x162; ++ uint64_t x163; ++ uint64_t x164; ++ uint64_t x165; ++ uint64_t x166; ++ uint64_t x167; ++ uint64_t x168; ++ uint64_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint64_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint64_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint64_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint64_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint64_t x179; ++ fiat_secp384r1_uint1 x180; ++ uint64_t x181; ++ fiat_secp384r1_uint1 x182; ++ uint64_t x183; ++ fiat_secp384r1_uint1 x184; ++ uint64_t x185; ++ fiat_secp384r1_uint1 x186; ++ uint64_t x187; ++ fiat_secp384r1_uint1 x188; ++ uint64_t x189; ++ fiat_secp384r1_uint1 x190; ++ uint64_t x191; ++ fiat_secp384r1_uint1 x192; ++ uint64_t x193; ++ uint64_t x194; ++ uint64_t x195; ++ uint64_t x196; ++ uint64_t x197; ++ uint64_t x198; ++ uint64_t x199; ++ uint64_t x200; ++ uint64_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint64_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint64_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint64_t x207; ++ fiat_secp384r1_uint1 x208; ++ uint64_t x209; ++ fiat_secp384r1_uint1 x210; ++ uint64_t x211; ++ fiat_secp384r1_uint1 x212; ++ uint64_t x213; ++ fiat_secp384r1_uint1 x214; ++ uint64_t x215; ++ fiat_secp384r1_uint1 x216; ++ uint64_t x217; ++ fiat_secp384r1_uint1 x218; ++ uint64_t x219; ++ fiat_secp384r1_uint1 x220; ++ uint64_t x221; ++ uint64_t x222; ++ uint64_t x223; ++ uint64_t x224; ++ uint64_t x225; ++ uint64_t x226; ++ uint64_t x227; ++ uint64_t x228; ++ uint64_t x229; ++ uint64_t x230; ++ uint64_t x231; ++ uint64_t x232; ++ uint64_t x233; ++ uint64_t x234; ++ uint64_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint64_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint64_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint64_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint64_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint64_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint64_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint64_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint64_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint64_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint64_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint64_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint64_t x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ uint64_t x267; ++ fiat_secp384r1_uint1 x268; ++ uint64_t x269; ++ fiat_secp384r1_uint1 x270; ++ uint64_t x271; ++ fiat_secp384r1_uint1 x272; ++ uint64_t x273; ++ fiat_secp384r1_uint1 x274; ++ uint64_t x275; ++ fiat_secp384r1_uint1 x276; ++ uint64_t x277; ++ fiat_secp384r1_uint1 x278; ++ uint64_t x279; ++ fiat_secp384r1_uint1 x280; ++ uint64_t x281; ++ fiat_secp384r1_uint1 x282; ++ uint64_t x283; ++ fiat_secp384r1_uint1 x284; ++ uint64_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint64_t x287; ++ uint64_t x288; ++ uint64_t x289; ++ uint64_t x290; ++ uint64_t x291; ++ uint64_t x292; ++ uint64_t x293; ++ uint64_t x294; ++ uint64_t x295; ++ uint64_t x296; ++ uint64_t x297; ++ uint64_t x298; ++ uint64_t x299; ++ uint64_t x300; ++ uint64_t x301; ++ fiat_secp384r1_uint1 x302; ++ uint64_t x303; ++ fiat_secp384r1_uint1 x304; ++ uint64_t x305; ++ fiat_secp384r1_uint1 x306; ++ uint64_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint64_t x309; ++ fiat_secp384r1_uint1 x310; ++ uint64_t x311; ++ fiat_secp384r1_uint1 x312; ++ uint64_t x313; ++ fiat_secp384r1_uint1 x314; ++ uint64_t x315; ++ fiat_secp384r1_uint1 x316; ++ uint64_t x317; ++ fiat_secp384r1_uint1 x318; ++ uint64_t x319; ++ fiat_secp384r1_uint1 x320; ++ uint64_t x321; ++ fiat_secp384r1_uint1 x322; ++ uint64_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint64_t x325; ++ uint64_t x326; ++ uint64_t x327; ++ uint64_t x328; ++ uint64_t x329; ++ uint64_t x330; ++ uint64_t x331; ++ uint64_t x332; ++ uint64_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint64_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint64_t x337; ++ fiat_secp384r1_uint1 x338; ++ uint64_t x339; ++ fiat_secp384r1_uint1 x340; ++ uint64_t x341; ++ fiat_secp384r1_uint1 x342; ++ uint64_t x343; ++ fiat_secp384r1_uint1 x344; ++ uint64_t x345; ++ fiat_secp384r1_uint1 x346; ++ uint64_t x347; ++ fiat_secp384r1_uint1 x348; ++ uint64_t x349; ++ fiat_secp384r1_uint1 x350; ++ uint64_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint64_t x353; ++ uint64_t x354; ++ uint64_t x355; ++ uint64_t x356; ++ uint64_t x357; ++ uint64_t x358; ++ uint64_t x359; ++ uint64_t x360; ++ uint64_t x361; ++ uint64_t x362; ++ uint64_t x363; ++ uint64_t x364; ++ uint64_t x365; ++ uint64_t x366; ++ uint64_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint64_t x369; ++ fiat_secp384r1_uint1 x370; ++ uint64_t x371; ++ fiat_secp384r1_uint1 x372; ++ uint64_t x373; ++ fiat_secp384r1_uint1 x374; ++ uint64_t x375; ++ fiat_secp384r1_uint1 x376; ++ uint64_t x377; ++ fiat_secp384r1_uint1 x378; ++ uint64_t x379; ++ fiat_secp384r1_uint1 x380; ++ uint64_t x381; ++ fiat_secp384r1_uint1 x382; ++ uint64_t x383; ++ fiat_secp384r1_uint1 x384; ++ uint64_t x385; ++ fiat_secp384r1_uint1 x386; ++ uint64_t x387; ++ fiat_secp384r1_uint1 x388; ++ uint64_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint64_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint64_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint64_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint64_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint64_t x399; ++ fiat_secp384r1_uint1 x400; ++ uint64_t x401; ++ fiat_secp384r1_uint1 x402; ++ uint64_t x403; ++ fiat_secp384r1_uint1 x404; ++ uint64_t x405; ++ uint64_t x406; ++ uint64_t x407; ++ uint64_t x408; ++ uint64_t x409; ++ uint64_t x410; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x7, &x8, x6, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x9, &x10, x6, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x11, &x12, x6, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x13, &x14, x6, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x15, &x16, 0x0, x14, x11); ++ fiat_secp384r1_addcarryx_u64(&x17, &x18, x16, x12, x9); ++ fiat_secp384r1_addcarryx_u64(&x19, &x20, x18, x10, x7); ++ fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x8, x6); ++ fiat_secp384r1_mulx_u64(&x23, &x24, x13, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x25, &x26, x23, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x27, &x28, x23, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x29, &x30, x23, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x31, &x32, x23, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x33, &x34, x23, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x35, &x36, x23, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x37, &x38, 0x0, x36, x33); ++ fiat_secp384r1_addcarryx_u64(&x39, &x40, x38, x34, x31); ++ fiat_secp384r1_addcarryx_u64(&x41, &x42, x40, x32, x29); ++ fiat_secp384r1_addcarryx_u64(&x43, &x44, x42, x30, x27); ++ fiat_secp384r1_addcarryx_u64(&x45, &x46, x44, x28, x25); ++ fiat_secp384r1_addcarryx_u64(&x47, &x48, 0x0, x13, x35); ++ fiat_secp384r1_addcarryx_u64(&x49, &x50, x48, x15, x37); ++ fiat_secp384r1_addcarryx_u64(&x51, &x52, x50, x17, x39); ++ fiat_secp384r1_addcarryx_u64(&x53, &x54, x52, x19, x41); ++ fiat_secp384r1_addcarryx_u64(&x55, &x56, x54, x21, x43); ++ fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x22, x45); ++ fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, 0x0, (x46 + x26)); ++ fiat_secp384r1_mulx_u64(&x61, &x62, x1, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x63, &x64, x1, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x65, &x66, x1, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x67, &x68, x1, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x69, &x70, 0x0, x68, x65); ++ fiat_secp384r1_addcarryx_u64(&x71, &x72, x70, x66, x63); ++ fiat_secp384r1_addcarryx_u64(&x73, &x74, x72, x64, x61); ++ fiat_secp384r1_addcarryx_u64(&x75, &x76, x74, x62, x1); ++ fiat_secp384r1_addcarryx_u64(&x77, &x78, 0x0, x49, x67); ++ fiat_secp384r1_addcarryx_u64(&x79, &x80, x78, x51, x69); ++ fiat_secp384r1_addcarryx_u64(&x81, &x82, x80, x53, x71); ++ fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x55, x73); ++ fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x57, x75); ++ fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x59, x76); ++ fiat_secp384r1_mulx_u64(&x89, &x90, x77, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x91, &x92, x89, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x93, &x94, x89, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x95, &x96, x89, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x97, &x98, x89, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x99, &x100, x89, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x101, &x102, x89, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x103, &x104, 0x0, x102, x99); ++ fiat_secp384r1_addcarryx_u64(&x105, &x106, x104, x100, x97); ++ fiat_secp384r1_addcarryx_u64(&x107, &x108, x106, x98, x95); ++ fiat_secp384r1_addcarryx_u64(&x109, &x110, x108, x96, x93); ++ fiat_secp384r1_addcarryx_u64(&x111, &x112, x110, x94, x91); ++ fiat_secp384r1_addcarryx_u64(&x113, &x114, 0x0, x77, x101); ++ fiat_secp384r1_addcarryx_u64(&x115, &x116, x114, x79, x103); ++ fiat_secp384r1_addcarryx_u64(&x117, &x118, x116, x81, x105); ++ fiat_secp384r1_addcarryx_u64(&x119, &x120, x118, x83, x107); ++ fiat_secp384r1_addcarryx_u64(&x121, &x122, x120, x85, x109); ++ fiat_secp384r1_addcarryx_u64(&x123, &x124, x122, x87, x111); ++ fiat_secp384r1_addcarryx_u64(&x125, &x126, x124, ((uint64_t)x88 + x60), ++ (x112 + x92)); ++ fiat_secp384r1_mulx_u64(&x127, &x128, x2, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x129, &x130, x2, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x131, &x132, x2, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x133, &x134, x2, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x135, &x136, 0x0, x134, x131); ++ fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x132, x129); ++ fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x130, x127); ++ fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x128, x2); ++ fiat_secp384r1_addcarryx_u64(&x143, &x144, 0x0, x115, x133); ++ fiat_secp384r1_addcarryx_u64(&x145, &x146, x144, x117, x135); ++ fiat_secp384r1_addcarryx_u64(&x147, &x148, x146, x119, x137); ++ fiat_secp384r1_addcarryx_u64(&x149, &x150, x148, x121, x139); ++ fiat_secp384r1_addcarryx_u64(&x151, &x152, x150, x123, x141); ++ fiat_secp384r1_addcarryx_u64(&x153, &x154, x152, x125, x142); ++ fiat_secp384r1_mulx_u64(&x155, &x156, x143, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x157, &x158, x155, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x159, &x160, x155, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x161, &x162, x155, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x163, &x164, x155, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x165, &x166, x155, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x167, &x168, x155, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x168, x165); ++ fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x166, x163); ++ fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x164, x161); ++ fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x162, x159); ++ fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x160, x157); ++ fiat_secp384r1_addcarryx_u64(&x179, &x180, 0x0, x143, x167); ++ fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x169); ++ fiat_secp384r1_addcarryx_u64(&x183, &x184, x182, x147, x171); ++ fiat_secp384r1_addcarryx_u64(&x185, &x186, x184, x149, x173); ++ fiat_secp384r1_addcarryx_u64(&x187, &x188, x186, x151, x175); ++ fiat_secp384r1_addcarryx_u64(&x189, &x190, x188, x153, x177); ++ fiat_secp384r1_addcarryx_u64(&x191, &x192, x190, ((uint64_t)x154 + x126), ++ (x178 + x158)); ++ fiat_secp384r1_mulx_u64(&x193, &x194, x3, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x195, &x196, x3, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x197, &x198, x3, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x199, &x200, x3, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x201, &x202, 0x0, x200, x197); ++ fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x198, x195); ++ fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x196, x193); ++ fiat_secp384r1_addcarryx_u64(&x207, &x208, x206, x194, x3); ++ fiat_secp384r1_addcarryx_u64(&x209, &x210, 0x0, x181, x199); ++ fiat_secp384r1_addcarryx_u64(&x211, &x212, x210, x183, x201); ++ fiat_secp384r1_addcarryx_u64(&x213, &x214, x212, x185, x203); ++ fiat_secp384r1_addcarryx_u64(&x215, &x216, x214, x187, x205); ++ fiat_secp384r1_addcarryx_u64(&x217, &x218, x216, x189, x207); ++ fiat_secp384r1_addcarryx_u64(&x219, &x220, x218, x191, x208); ++ fiat_secp384r1_mulx_u64(&x221, &x222, x209, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x223, &x224, x221, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x225, &x226, x221, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x227, &x228, x221, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x229, &x230, x221, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x231, &x232, x221, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x233, &x234, x221, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); ++ fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); ++ fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); ++ fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); ++ fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); ++ fiat_secp384r1_addcarryx_u64(&x245, &x246, 0x0, x209, x233); ++ fiat_secp384r1_addcarryx_u64(&x247, &x248, x246, x211, x235); ++ fiat_secp384r1_addcarryx_u64(&x249, &x250, x248, x213, x237); ++ fiat_secp384r1_addcarryx_u64(&x251, &x252, x250, x215, x239); ++ fiat_secp384r1_addcarryx_u64(&x253, &x254, x252, x217, x241); ++ fiat_secp384r1_addcarryx_u64(&x255, &x256, x254, x219, x243); ++ fiat_secp384r1_addcarryx_u64(&x257, &x258, x256, ((uint64_t)x220 + x192), ++ (x244 + x224)); ++ fiat_secp384r1_mulx_u64(&x259, &x260, x4, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x261, &x262, x4, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x263, &x264, x4, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x265, &x266, x4, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x267, &x268, 0x0, x266, x263); ++ fiat_secp384r1_addcarryx_u64(&x269, &x270, x268, x264, x261); ++ fiat_secp384r1_addcarryx_u64(&x271, &x272, x270, x262, x259); ++ fiat_secp384r1_addcarryx_u64(&x273, &x274, x272, x260, x4); ++ fiat_secp384r1_addcarryx_u64(&x275, &x276, 0x0, x247, x265); ++ fiat_secp384r1_addcarryx_u64(&x277, &x278, x276, x249, x267); ++ fiat_secp384r1_addcarryx_u64(&x279, &x280, x278, x251, x269); ++ fiat_secp384r1_addcarryx_u64(&x281, &x282, x280, x253, x271); ++ fiat_secp384r1_addcarryx_u64(&x283, &x284, x282, x255, x273); ++ fiat_secp384r1_addcarryx_u64(&x285, &x286, x284, x257, x274); ++ fiat_secp384r1_mulx_u64(&x287, &x288, x275, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x289, &x290, x287, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x291, &x292, x287, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x293, &x294, x287, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x295, &x296, x287, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x297, &x298, x287, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x299, &x300, x287, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x301, &x302, 0x0, x300, x297); ++ fiat_secp384r1_addcarryx_u64(&x303, &x304, x302, x298, x295); ++ fiat_secp384r1_addcarryx_u64(&x305, &x306, x304, x296, x293); ++ fiat_secp384r1_addcarryx_u64(&x307, &x308, x306, x294, x291); ++ fiat_secp384r1_addcarryx_u64(&x309, &x310, x308, x292, x289); ++ fiat_secp384r1_addcarryx_u64(&x311, &x312, 0x0, x275, x299); ++ fiat_secp384r1_addcarryx_u64(&x313, &x314, x312, x277, x301); ++ fiat_secp384r1_addcarryx_u64(&x315, &x316, x314, x279, x303); ++ fiat_secp384r1_addcarryx_u64(&x317, &x318, x316, x281, x305); ++ fiat_secp384r1_addcarryx_u64(&x319, &x320, x318, x283, x307); ++ fiat_secp384r1_addcarryx_u64(&x321, &x322, x320, x285, x309); ++ fiat_secp384r1_addcarryx_u64(&x323, &x324, x322, ((uint64_t)x286 + x258), ++ (x310 + x290)); ++ fiat_secp384r1_mulx_u64(&x325, &x326, x5, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x327, &x328, x5, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x329, &x330, x5, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x331, &x332, x5, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x333, &x334, 0x0, x332, x329); ++ fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x330, x327); ++ fiat_secp384r1_addcarryx_u64(&x337, &x338, x336, x328, x325); ++ fiat_secp384r1_addcarryx_u64(&x339, &x340, x338, x326, x5); ++ fiat_secp384r1_addcarryx_u64(&x341, &x342, 0x0, x313, x331); ++ fiat_secp384r1_addcarryx_u64(&x343, &x344, x342, x315, x333); ++ fiat_secp384r1_addcarryx_u64(&x345, &x346, x344, x317, x335); ++ fiat_secp384r1_addcarryx_u64(&x347, &x348, x346, x319, x337); ++ fiat_secp384r1_addcarryx_u64(&x349, &x350, x348, x321, x339); ++ fiat_secp384r1_addcarryx_u64(&x351, &x352, x350, x323, x340); ++ fiat_secp384r1_mulx_u64(&x353, &x354, x341, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x355, &x356, x353, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x357, &x358, x353, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x359, &x360, x353, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x361, &x362, x353, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x363, &x364, x353, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x365, &x366, x353, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x367, &x368, 0x0, x366, x363); ++ fiat_secp384r1_addcarryx_u64(&x369, &x370, x368, x364, x361); ++ fiat_secp384r1_addcarryx_u64(&x371, &x372, x370, x362, x359); ++ fiat_secp384r1_addcarryx_u64(&x373, &x374, x372, x360, x357); ++ fiat_secp384r1_addcarryx_u64(&x375, &x376, x374, x358, x355); ++ fiat_secp384r1_addcarryx_u64(&x377, &x378, 0x0, x341, x365); ++ fiat_secp384r1_addcarryx_u64(&x379, &x380, x378, x343, x367); ++ fiat_secp384r1_addcarryx_u64(&x381, &x382, x380, x345, x369); ++ fiat_secp384r1_addcarryx_u64(&x383, &x384, x382, x347, x371); ++ fiat_secp384r1_addcarryx_u64(&x385, &x386, x384, x349, x373); ++ fiat_secp384r1_addcarryx_u64(&x387, &x388, x386, x351, x375); ++ fiat_secp384r1_addcarryx_u64(&x389, &x390, x388, ((uint64_t)x352 + x324), ++ (x376 + x356)); ++ fiat_secp384r1_subborrowx_u64(&x391, &x392, 0x0, x379, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x393, &x394, x392, x381, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x395, &x396, x394, x383, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x397, &x398, x396, x385, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x399, &x400, x398, x387, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x401, &x402, x400, x389, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x403, &x404, x402, x390, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x405, x404, x391, x379); ++ fiat_secp384r1_cmovznz_u64(&x406, x404, x393, x381); ++ fiat_secp384r1_cmovznz_u64(&x407, x404, x395, x383); ++ fiat_secp384r1_cmovznz_u64(&x408, x404, x397, x385); ++ fiat_secp384r1_cmovznz_u64(&x409, x404, x399, x387); ++ fiat_secp384r1_cmovznz_u64(&x410, x404, x401, x389); ++ out1[0] = x405; ++ out1[1] = x406; ++ out1[2] = x407; ++ out1[3] = x408; ++ out1[4] = x409; ++ out1[5] = x410; ++} ++ ++/* ++ * The function fiat_secp384r1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ */ ++static void ++fiat_secp384r1_nonzero(uint64_t *out1, const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ x1 = ((arg1[0]) | ++ ((arg1[1]) | ++ ((arg1[2]) | ++ ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | (uint64_t)0x0)))))); ++ *out1 = x1; ++} ++ ++/* ++ * The function fiat_secp384r1_selectznz is a multi-limb conditional select. ++ * Postconditions: ++ * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_selectznz(uint64_t out1[6], ++ fiat_secp384r1_uint1 arg1, ++ const uint64_t arg2[6], ++ const uint64_t arg3[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ fiat_secp384r1_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); ++ fiat_secp384r1_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); ++ fiat_secp384r1_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); ++ fiat_secp384r1_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); ++ fiat_secp384r1_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); ++ fiat_secp384r1_cmovznz_u64(&x6, arg1, (arg2[5]), (arg3[5])); ++ out1[0] = x1; ++ out1[1] = x2; ++ out1[2] = x3; ++ out1[3] = x4; ++ out1[4] = x5; ++ out1[5] = x6; ++} ++ ++/* ++ * The function fiat_secp384r1_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ */ ++static void ++fiat_secp384r1_to_bytes(uint8_t out1[48], const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint8_t x8; ++ uint64_t x9; ++ uint8_t x10; ++ uint64_t x11; ++ uint8_t x12; ++ uint64_t x13; ++ uint8_t x14; ++ uint64_t x15; ++ uint8_t x16; ++ uint64_t x17; ++ uint8_t x18; ++ uint8_t x19; ++ uint8_t x20; ++ uint8_t x21; ++ uint64_t x22; ++ uint8_t x23; ++ uint64_t x24; ++ uint8_t x25; ++ uint64_t x26; ++ uint8_t x27; ++ uint64_t x28; ++ uint8_t x29; ++ uint64_t x30; ++ uint8_t x31; ++ uint64_t x32; ++ uint8_t x33; ++ uint8_t x34; ++ uint8_t x35; ++ uint8_t x36; ++ uint64_t x37; ++ uint8_t x38; ++ uint64_t x39; ++ uint8_t x40; ++ uint64_t x41; ++ uint8_t x42; ++ uint64_t x43; ++ uint8_t x44; ++ uint64_t x45; ++ uint8_t x46; ++ uint64_t x47; ++ uint8_t x48; ++ uint8_t x49; ++ uint8_t x50; ++ uint8_t x51; ++ uint64_t x52; ++ uint8_t x53; ++ uint64_t x54; ++ uint8_t x55; ++ uint64_t x56; ++ uint8_t x57; ++ uint64_t x58; ++ uint8_t x59; ++ uint64_t x60; ++ uint8_t x61; ++ uint64_t x62; ++ uint8_t x63; ++ uint8_t x64; ++ uint8_t x65; ++ uint8_t x66; ++ uint64_t x67; ++ uint8_t x68; ++ uint64_t x69; ++ uint8_t x70; ++ uint64_t x71; ++ uint8_t x72; ++ uint64_t x73; ++ uint8_t x74; ++ uint64_t x75; ++ uint8_t x76; ++ uint64_t x77; ++ uint8_t x78; ++ uint8_t x79; ++ uint8_t x80; ++ uint8_t x81; ++ uint64_t x82; ++ uint8_t x83; ++ uint64_t x84; ++ uint8_t x85; ++ uint64_t x86; ++ uint8_t x87; ++ uint64_t x88; ++ uint8_t x89; ++ uint64_t x90; ++ uint8_t x91; ++ uint64_t x92; ++ uint8_t x93; ++ uint8_t x94; ++ uint8_t x95; ++ x1 = (arg1[5]); ++ x2 = (arg1[4]); ++ x3 = (arg1[3]); ++ x4 = (arg1[2]); ++ x5 = (arg1[1]); ++ x6 = (arg1[0]); ++ x7 = (x6 >> 8); ++ x8 = (uint8_t)(x6 & UINT8_C(0xff)); ++ x9 = (x7 >> 8); ++ x10 = (uint8_t)(x7 & UINT8_C(0xff)); ++ x11 = (x9 >> 8); ++ x12 = (uint8_t)(x9 & UINT8_C(0xff)); ++ x13 = (x11 >> 8); ++ x14 = (uint8_t)(x11 & UINT8_C(0xff)); ++ x15 = (x13 >> 8); ++ x16 = (uint8_t)(x13 & UINT8_C(0xff)); ++ x17 = (x15 >> 8); ++ x18 = (uint8_t)(x15 & UINT8_C(0xff)); ++ x19 = (uint8_t)(x17 >> 8); ++ x20 = (uint8_t)(x17 & UINT8_C(0xff)); ++ x21 = (uint8_t)(x19 & UINT8_C(0xff)); ++ x22 = (x5 >> 8); ++ x23 = (uint8_t)(x5 & UINT8_C(0xff)); ++ x24 = (x22 >> 8); ++ x25 = (uint8_t)(x22 & UINT8_C(0xff)); ++ x26 = (x24 >> 8); ++ x27 = (uint8_t)(x24 & UINT8_C(0xff)); ++ x28 = (x26 >> 8); ++ x29 = (uint8_t)(x26 & UINT8_C(0xff)); ++ x30 = (x28 >> 8); ++ x31 = (uint8_t)(x28 & UINT8_C(0xff)); ++ x32 = (x30 >> 8); ++ x33 = (uint8_t)(x30 & UINT8_C(0xff)); ++ x34 = (uint8_t)(x32 >> 8); ++ x35 = (uint8_t)(x32 & UINT8_C(0xff)); ++ x36 = (uint8_t)(x34 & UINT8_C(0xff)); ++ x37 = (x4 >> 8); ++ x38 = (uint8_t)(x4 & UINT8_C(0xff)); ++ x39 = (x37 >> 8); ++ x40 = (uint8_t)(x37 & UINT8_C(0xff)); ++ x41 = (x39 >> 8); ++ x42 = (uint8_t)(x39 & UINT8_C(0xff)); ++ x43 = (x41 >> 8); ++ x44 = (uint8_t)(x41 & UINT8_C(0xff)); ++ x45 = (x43 >> 8); ++ x46 = (uint8_t)(x43 & UINT8_C(0xff)); ++ x47 = (x45 >> 8); ++ x48 = (uint8_t)(x45 & UINT8_C(0xff)); ++ x49 = (uint8_t)(x47 >> 8); ++ x50 = (uint8_t)(x47 & UINT8_C(0xff)); ++ x51 = (uint8_t)(x49 & UINT8_C(0xff)); ++ x52 = (x3 >> 8); ++ x53 = (uint8_t)(x3 & UINT8_C(0xff)); ++ x54 = (x52 >> 8); ++ x55 = (uint8_t)(x52 & UINT8_C(0xff)); ++ x56 = (x54 >> 8); ++ x57 = (uint8_t)(x54 & UINT8_C(0xff)); ++ x58 = (x56 >> 8); ++ x59 = (uint8_t)(x56 & UINT8_C(0xff)); ++ x60 = (x58 >> 8); ++ x61 = (uint8_t)(x58 & UINT8_C(0xff)); ++ x62 = (x60 >> 8); ++ x63 = (uint8_t)(x60 & UINT8_C(0xff)); ++ x64 = (uint8_t)(x62 >> 8); ++ x65 = (uint8_t)(x62 & UINT8_C(0xff)); ++ x66 = (uint8_t)(x64 & UINT8_C(0xff)); ++ x67 = (x2 >> 8); ++ x68 = (uint8_t)(x2 & UINT8_C(0xff)); ++ x69 = (x67 >> 8); ++ x70 = (uint8_t)(x67 & UINT8_C(0xff)); ++ x71 = (x69 >> 8); ++ x72 = (uint8_t)(x69 & UINT8_C(0xff)); ++ x73 = (x71 >> 8); ++ x74 = (uint8_t)(x71 & UINT8_C(0xff)); ++ x75 = (x73 >> 8); ++ x76 = (uint8_t)(x73 & UINT8_C(0xff)); ++ x77 = (x75 >> 8); ++ x78 = (uint8_t)(x75 & UINT8_C(0xff)); ++ x79 = (uint8_t)(x77 >> 8); ++ x80 = (uint8_t)(x77 & UINT8_C(0xff)); ++ x81 = (uint8_t)(x79 & UINT8_C(0xff)); ++ x82 = (x1 >> 8); ++ x83 = (uint8_t)(x1 & UINT8_C(0xff)); ++ x84 = (x82 >> 8); ++ x85 = (uint8_t)(x82 & UINT8_C(0xff)); ++ x86 = (x84 >> 8); ++ x87 = (uint8_t)(x84 & UINT8_C(0xff)); ++ x88 = (x86 >> 8); ++ x89 = (uint8_t)(x86 & UINT8_C(0xff)); ++ x90 = (x88 >> 8); ++ x91 = (uint8_t)(x88 & UINT8_C(0xff)); ++ x92 = (x90 >> 8); ++ x93 = (uint8_t)(x90 & UINT8_C(0xff)); ++ x94 = (uint8_t)(x92 >> 8); ++ x95 = (uint8_t)(x92 & UINT8_C(0xff)); ++ out1[0] = x8; ++ out1[1] = x10; ++ out1[2] = x12; ++ out1[3] = x14; ++ out1[4] = x16; ++ out1[5] = x18; ++ out1[6] = x20; ++ out1[7] = x21; ++ out1[8] = x23; ++ out1[9] = x25; ++ out1[10] = x27; ++ out1[11] = x29; ++ out1[12] = x31; ++ out1[13] = x33; ++ out1[14] = x35; ++ out1[15] = x36; ++ out1[16] = x38; ++ out1[17] = x40; ++ out1[18] = x42; ++ out1[19] = x44; ++ out1[20] = x46; ++ out1[21] = x48; ++ out1[22] = x50; ++ out1[23] = x51; ++ out1[24] = x53; ++ out1[25] = x55; ++ out1[26] = x57; ++ out1[27] = x59; ++ out1[28] = x61; ++ out1[29] = x63; ++ out1[30] = x65; ++ out1[31] = x66; ++ out1[32] = x68; ++ out1[33] = x70; ++ out1[34] = x72; ++ out1[35] = x74; ++ out1[36] = x76; ++ out1[37] = x78; ++ out1[38] = x80; ++ out1[39] = x81; ++ out1[40] = x83; ++ out1[41] = x85; ++ out1[42] = x87; ++ out1[43] = x89; ++ out1[44] = x91; ++ out1[45] = x93; ++ out1[46] = x95; ++ out1[47] = x94; ++} ++ ++/* ++ * The function fiat_secp384r1_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ bytes_eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = bytes_eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_from_bytes(uint64_t out1[6], ++ const uint8_t arg1[48]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint8_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint8_t x16; ++ uint64_t x17; ++ uint64_t x18; ++ uint64_t x19; ++ uint64_t x20; ++ uint64_t x21; ++ uint64_t x22; ++ uint64_t x23; ++ uint8_t x24; ++ uint64_t x25; ++ uint64_t x26; ++ uint64_t x27; ++ uint64_t x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint8_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ uint64_t x38; ++ uint64_t x39; ++ uint8_t x40; ++ uint64_t x41; ++ uint64_t x42; ++ uint64_t x43; ++ uint64_t x44; ++ uint64_t x45; ++ uint64_t x46; ++ uint64_t x47; ++ uint8_t x48; ++ uint64_t x49; ++ uint64_t x50; ++ uint64_t x51; ++ uint64_t x52; ++ uint64_t x53; ++ uint64_t x54; ++ uint64_t x55; ++ uint64_t x56; ++ uint64_t x57; ++ uint64_t x58; ++ uint64_t x59; ++ x1 = ((uint64_t)(arg1[47]) << 56); ++ x2 = ((uint64_t)(arg1[46]) << 48); ++ x3 = ((uint64_t)(arg1[45]) << 40); ++ x4 = ((uint64_t)(arg1[44]) << 32); ++ x5 = ((uint64_t)(arg1[43]) << 24); ++ x6 = ((uint64_t)(arg1[42]) << 16); ++ x7 = ((uint64_t)(arg1[41]) << 8); ++ x8 = (arg1[40]); ++ x9 = ((uint64_t)(arg1[39]) << 56); ++ x10 = ((uint64_t)(arg1[38]) << 48); ++ x11 = ((uint64_t)(arg1[37]) << 40); ++ x12 = ((uint64_t)(arg1[36]) << 32); ++ x13 = ((uint64_t)(arg1[35]) << 24); ++ x14 = ((uint64_t)(arg1[34]) << 16); ++ x15 = ((uint64_t)(arg1[33]) << 8); ++ x16 = (arg1[32]); ++ x17 = ((uint64_t)(arg1[31]) << 56); ++ x18 = ((uint64_t)(arg1[30]) << 48); ++ x19 = ((uint64_t)(arg1[29]) << 40); ++ x20 = ((uint64_t)(arg1[28]) << 32); ++ x21 = ((uint64_t)(arg1[27]) << 24); ++ x22 = ((uint64_t)(arg1[26]) << 16); ++ x23 = ((uint64_t)(arg1[25]) << 8); ++ x24 = (arg1[24]); ++ x25 = ((uint64_t)(arg1[23]) << 56); ++ x26 = ((uint64_t)(arg1[22]) << 48); ++ x27 = ((uint64_t)(arg1[21]) << 40); ++ x28 = ((uint64_t)(arg1[20]) << 32); ++ x29 = ((uint64_t)(arg1[19]) << 24); ++ x30 = ((uint64_t)(arg1[18]) << 16); ++ x31 = ((uint64_t)(arg1[17]) << 8); ++ x32 = (arg1[16]); ++ x33 = ((uint64_t)(arg1[15]) << 56); ++ x34 = ((uint64_t)(arg1[14]) << 48); ++ x35 = ((uint64_t)(arg1[13]) << 40); ++ x36 = ((uint64_t)(arg1[12]) << 32); ++ x37 = ((uint64_t)(arg1[11]) << 24); ++ x38 = ((uint64_t)(arg1[10]) << 16); ++ x39 = ((uint64_t)(arg1[9]) << 8); ++ x40 = (arg1[8]); ++ x41 = ((uint64_t)(arg1[7]) << 56); ++ x42 = ((uint64_t)(arg1[6]) << 48); ++ x43 = ((uint64_t)(arg1[5]) << 40); ++ x44 = ((uint64_t)(arg1[4]) << 32); ++ x45 = ((uint64_t)(arg1[3]) << 24); ++ x46 = ((uint64_t)(arg1[2]) << 16); ++ x47 = ((uint64_t)(arg1[1]) << 8); ++ x48 = (arg1[0]); ++ x49 = (x48 + (x47 + (x46 + (x45 + (x44 + (x43 + (x42 + x41))))))); ++ x50 = (x49 & UINT64_C(0xffffffffffffffff)); ++ x51 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); ++ x52 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); ++ x53 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); ++ x54 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); ++ x55 = (x40 + (x39 + (x38 + (x37 + (x36 + (x35 + (x34 + x33))))))); ++ x56 = (x55 & UINT64_C(0xffffffffffffffff)); ++ x57 = (x54 & UINT64_C(0xffffffffffffffff)); ++ x58 = (x53 & UINT64_C(0xffffffffffffffff)); ++ x59 = (x52 & UINT64_C(0xffffffffffffffff)); ++ out1[0] = x50; ++ out1[1] = x56; ++ out1[2] = x57; ++ out1[3] = x58; ++ out1[4] = x59; ++ out1[5] = x51; ++} ++ ++/* END verbatim fiat code */ ++ ++/*- ++ * Finite field inversion via FLT. ++ * NB: this is not a real Fiat function, just named that way for consistency. ++ * Autogenerated: ecp/secp384r1/fe_inv.op3 ++ * custom repunit addition chain ++ */ ++static void ++fiat_secp384r1_inv(fe_t output, const fe_t t1) ++{ ++ int i; ++ /* temporary variables */ ++ fe_t acc, t10, t170, t2, t20, t255, t30, t32, t4, t64, t8, t84, t85; ++ ++ fiat_secp384r1_square(acc, t1); ++ fiat_secp384r1_mul(t2, acc, t1); ++ fiat_secp384r1_square(acc, t2); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t4, acc, t2); ++ fiat_secp384r1_square(acc, t4); ++ for (i = 0; i < 3; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t8, acc, t4); ++ fiat_secp384r1_square(acc, t8); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t10, acc, t2); ++ fiat_secp384r1_square(acc, t10); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t20, acc, t10); ++ fiat_secp384r1_square(acc, t20); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t30, acc, t10); ++ fiat_secp384r1_square(acc, t30); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t32, acc, t2); ++ fiat_secp384r1_square(acc, t32); ++ for (i = 0; i < 31; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t64, acc, t32); ++ fiat_secp384r1_square(acc, t64); ++ for (i = 0; i < 19; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t84, acc, t20); ++ fiat_secp384r1_square(acc, t84); ++ fiat_secp384r1_mul(t85, acc, t1); ++ fiat_secp384r1_square(acc, t85); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t170, acc, t85); ++ fiat_secp384r1_square(acc, t170); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t255, acc, t85); ++ fiat_secp384r1_square(acc, t255); ++ for (i = 0; i < 32; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t32); ++ for (i = 0; i < 94; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t30); ++ for (i = 0; i < 2; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(output, acc, t1); ++} ++ ++/* curve coefficient constants */ ++ ++static const limb_t const_one[6] = { ++ UINT64_C(0xFFFFFFFF00000001), UINT64_C(0x00000000FFFFFFFF), ++ UINT64_C(0x0000000000000001), UINT64_C(0x0000000000000000), ++ UINT64_C(0x0000000000000000), UINT64_C(0x0000000000000000) ++}; ++ ++static const limb_t const_b[6] = { ++ UINT64_C(0x081188719D412DCC), UINT64_C(0xF729ADD87A4C32EC), ++ UINT64_C(0x77F2209B1920022E), UINT64_C(0xE3374BEE94938AE2), ++ UINT64_C(0xB62B21F41F022094), UINT64_C(0xCD08114B604FBFF9) ++}; ++ ++/* LUT for scalar multiplication by comb interleaving */ ++static const pt_aff_t lut_cmb[21][16] = { ++ { ++ { { UINT64_C(0x3DD0756649C0B528), UINT64_C(0x20E378E2A0D6CE38), ++ UINT64_C(0x879C3AFC541B4D6E), UINT64_C(0x6454868459A30EFF), ++ UINT64_C(0x812FF723614EDE2B), UINT64_C(0x4D3AADC2299E1513) }, ++ { UINT64_C(0x23043DAD4B03A4FE), UINT64_C(0xA1BFA8BF7BB4A9AC), ++ UINT64_C(0x8BADE7562E83B050), UINT64_C(0xC6C3521968F4FFD9), ++ UINT64_C(0xDD8002263969A840), UINT64_C(0x2B78ABC25A15C5E9) } }, ++ { { UINT64_C(0x05E4DBE6C1DC4073), UINT64_C(0xC54EA9FFF04F779C), ++ UINT64_C(0x6B2034E9A170CCF0), UINT64_C(0x3A48D732D51C6C3E), ++ UINT64_C(0xE36F7E2D263AA470), UINT64_C(0xD283FE68E7C1C3AC) }, ++ { UINT64_C(0x7E284821C04EE157), UINT64_C(0x92D789A77AE0E36D), ++ UINT64_C(0x132663C04EF67446), UINT64_C(0x68012D5AD2E1D0B4), ++ UINT64_C(0xF6DB68B15102B339), UINT64_C(0x465465FC983292AF) } }, ++ { { UINT64_C(0xBB595EBA68F1F0DF), UINT64_C(0xC185C0CBCC873466), ++ UINT64_C(0x7F1EB1B5293C703B), UINT64_C(0x60DB2CF5AACC05E6), ++ UINT64_C(0xC676B987E2E8E4C6), UINT64_C(0xE1BB26B11D178FFB) }, ++ { UINT64_C(0x2B694BA07073FA21), UINT64_C(0x22C16E2E72F34566), ++ UINT64_C(0x80B61B3101C35B99), UINT64_C(0x4B237FAF982C0411), ++ UINT64_C(0xE6C5944024DE236D), UINT64_C(0x4DB1C9D6E209E4A3) } }, ++ { { UINT64_C(0xDF13B9D17D69222B), UINT64_C(0x4CE6415F874774B1), ++ UINT64_C(0x731EDCF8211FAA95), UINT64_C(0x5F4215D1659753ED), ++ UINT64_C(0xF893DB589DB2DF55), UINT64_C(0x932C9F811C89025B) }, ++ { UINT64_C(0x0996B2207706A61E), UINT64_C(0x135349D5A8641C79), ++ UINT64_C(0x65AAD76F50130844), UINT64_C(0x0FF37C0401FFF780), ++ UINT64_C(0xF57F238E693B0706), UINT64_C(0xD90A16B6AF6C9B3E) } }, ++ { { UINT64_C(0x2F5D200E2353B92F), UINT64_C(0xE35D87293FD7E4F9), ++ UINT64_C(0x26094833A96D745D), UINT64_C(0xDC351DC13CBFFF3F), ++ UINT64_C(0x26D464C6DAD54D6A), UINT64_C(0x5CAB1D1D53636C6A) }, ++ { UINT64_C(0xF2813072B18EC0B0), UINT64_C(0x3777E270D742AA2F), ++ UINT64_C(0x27F061C7033CA7C2), UINT64_C(0xA6ECACCC68EAD0D8), ++ UINT64_C(0x7D9429F4EE69A754), UINT64_C(0xE770633431E8F5C6) } }, ++ { { UINT64_C(0xC7708B19B68B8C7D), UINT64_C(0x4532077C44377ABA), ++ UINT64_C(0x0DCC67706CDAD64F), UINT64_C(0x01B8BF56147B6602), ++ UINT64_C(0xF8D89885F0561D79), UINT64_C(0x9C19E9FC7BA9C437) }, ++ { UINT64_C(0x764EB146BDC4BA25), UINT64_C(0x604FE46BAC144B83), ++ UINT64_C(0x3CE813298A77E780), UINT64_C(0x2E070F36FE9E682E), ++ UINT64_C(0x41821D0C3A53287A), UINT64_C(0x9AA62F9F3533F918) } }, ++ { { UINT64_C(0x9B7AEB7E75CCBDFB), UINT64_C(0xB25E28C5F6749A95), ++ UINT64_C(0x8A7A8E4633B7D4AE), UINT64_C(0xDB5203A8D9C1BD56), ++ UINT64_C(0xD2657265ED22DF97), UINT64_C(0xB51C56E18CF23C94) }, ++ { UINT64_C(0xF4D394596C3D812D), UINT64_C(0xD8E88F1A87CAE0C2), ++ UINT64_C(0x789A2A48CF4D0FE3), UINT64_C(0xB7FEAC2DFEC38D60), ++ UINT64_C(0x81FDBD1C3B490EC3), UINT64_C(0x4617ADB7CC6979E1) } }, ++ { { UINT64_C(0x446AD8884709F4A9), UINT64_C(0x2B7210E2EC3DABD8), ++ UINT64_C(0x83CCF19550E07B34), UINT64_C(0x59500917789B3075), ++ UINT64_C(0x0FC01FD4EB085993), UINT64_C(0xFB62D26F4903026B) }, ++ { UINT64_C(0x2309CC9D6FE989BB), UINT64_C(0x61609CBD144BD586), ++ UINT64_C(0x4B23D3A0DE06610C), UINT64_C(0xDDDC2866D898F470), ++ UINT64_C(0x8733FC41400C5797), UINT64_C(0x5A68C6FED0BC2716) } }, ++ { { UINT64_C(0x8903E1304B4A3CD0), UINT64_C(0x3EA4EA4C8FF1F43E), ++ UINT64_C(0xE6FC3F2AF655A10D), UINT64_C(0x7BE3737D524FFEFC), ++ UINT64_C(0x9F6928555330455E), UINT64_C(0x524F166EE475CE70) }, ++ { UINT64_C(0x3FCC69CD6C12F055), UINT64_C(0x4E23B6FFD5B9C0DA), ++ UINT64_C(0x49CE6993336BF183), UINT64_C(0xF87D6D854A54504A), ++ UINT64_C(0x25EB5DF1B3C2677A), UINT64_C(0xAC37986F55B164C9) } }, ++ { { UINT64_C(0x82A2ED4ABAA84C08), UINT64_C(0x22C4CC5F41A8C912), ++ UINT64_C(0xCA109C3B154AAD5E), UINT64_C(0x23891298FC38538E), ++ UINT64_C(0xB3B6639C539802AE), UINT64_C(0xFA0F1F450390D706) }, ++ { UINT64_C(0x46B78E5DB0DC21D0), UINT64_C(0xA8C72D3CC3DA2EAC), ++ UINT64_C(0x9170B3786FF2F643), UINT64_C(0x3F5A799BB67F30C3), ++ UINT64_C(0x15D1DC778264B672), UINT64_C(0xA1D47B23E9577764) } }, ++ { { UINT64_C(0x08265E510422CE2F), UINT64_C(0x88E0D496DD2F9E21), ++ UINT64_C(0x30128AA06177F75D), UINT64_C(0x2E59AB62BD9EBE69), ++ UINT64_C(0x1B1A0F6C5DF0E537), UINT64_C(0xAB16C626DAC012B5) }, ++ { UINT64_C(0x8014214B008C5DE7), UINT64_C(0xAA740A9E38F17BEA), ++ UINT64_C(0x262EBB498A149098), UINT64_C(0xB454111E8527CD59), ++ UINT64_C(0x266AD15AACEA5817), UINT64_C(0x21824F411353CCBA) } }, ++ { { UINT64_C(0xD1B4E74D12E3683B), UINT64_C(0x990ED20B569B8EF6), ++ UINT64_C(0xB9D3DD25429C0A18), UINT64_C(0x1C75B8AB2A351783), ++ UINT64_C(0x61E4CA2B905432F0), UINT64_C(0x80826A69EEA8F224) }, ++ { UINT64_C(0x7FC33A6BEC52ABAD), UINT64_C(0x0BCCA3F0A65E4813), ++ UINT64_C(0x7AD8A132A527CEBE), UINT64_C(0xF0138950EAF22C7E), ++ UINT64_C(0x282D2437566718C1), UINT64_C(0x9DFCCB0DE2212559) } }, ++ { { UINT64_C(0x1E93722758CE3B83), UINT64_C(0xBB280DFA3CB3FB36), ++ UINT64_C(0x57D0F3D2E2BE174A), UINT64_C(0x9BD51B99208ABE1E), ++ UINT64_C(0x3809AB50DE248024), UINT64_C(0xC29C6E2CA5BB7331) }, ++ { UINT64_C(0x9944FD2E61124F05), UINT64_C(0x83CCBC4E9009E391), ++ UINT64_C(0x01628F059424A3CC), UINT64_C(0xD6A2F51DEA8E4344), ++ UINT64_C(0xDA3E1A3D4CEBC96E), UINT64_C(0x1FE6FB42E97809DC) } }, ++ { { UINT64_C(0xA04482D2467D66E4), UINT64_C(0xCF1912934D78291D), ++ UINT64_C(0x8E0D4168482396F9), UINT64_C(0x7228E2D5D18F14D0), ++ UINT64_C(0x2F7E8D509C6A58FE), UINT64_C(0xE8CA780E373E5AEC) }, ++ { UINT64_C(0x42AAD1D61B68E9F8), UINT64_C(0x58A6D7F569E2F8F4), ++ UINT64_C(0xD779ADFE31DA1BEA), UINT64_C(0x7D26540638C85A85), ++ UINT64_C(0x67E67195D44D3CDF), UINT64_C(0x17820A0BC5134ED7) } }, ++ { { UINT64_C(0x019D6AC5D3021470), UINT64_C(0x25846B66780443D6), ++ UINT64_C(0xCE3C15ED55C97647), UINT64_C(0x3DC22D490E3FEB0F), ++ UINT64_C(0x2065B7CBA7DF26E4), UINT64_C(0xC8B00AE8187CEA1F) }, ++ { UINT64_C(0x1A5284A0865DDED3), UINT64_C(0x293C164920C83DE2), ++ UINT64_C(0xAB178D26CCE851B3), UINT64_C(0x8E6DB10B404505FB), ++ UINT64_C(0xF6F57E7190C82033), UINT64_C(0x1D2A1C015977F16C) } }, ++ { { UINT64_C(0xA39C89317C8906A4), UINT64_C(0xB6E7ECDD9E821EE6), ++ UINT64_C(0x2ECF8340F0DF4FE6), UINT64_C(0xD42F7DC953C14965), ++ UINT64_C(0x1AFB51A3E3BA8285), UINT64_C(0x6C07C4040A3305D1) }, ++ { UINT64_C(0xDAB83288127FC1DA), UINT64_C(0xBC0A699B374C4B08), ++ UINT64_C(0x402A9BAB42EB20DD), UINT64_C(0xD7DD464F045A7A1C), ++ UINT64_C(0x5B3D0D6D36BEECC4), UINT64_C(0x475A3E756398A19D) } }, ++ }, ++ { ++ { { UINT64_C(0x31BDB48372876AE8), UINT64_C(0xE3325D98961ED1BF), ++ UINT64_C(0x18C042469B6FC64D), UINT64_C(0x0DCC15FA15786B8C), ++ UINT64_C(0x81ACDB068E63DA4A), UINT64_C(0xD3A4B643DADA70FB) }, ++ { UINT64_C(0x46361AFEDEA424EB), UINT64_C(0xDC2D2CAE89B92970), ++ UINT64_C(0xF389B61B615694E6), UINT64_C(0x7036DEF1872951D2), ++ UINT64_C(0x40FD3BDAD93BADC7), UINT64_C(0x45AB6321380A68D3) } }, ++ { { UINT64_C(0x23C1F74481A2703A), UINT64_C(0x1A5D075CB9859136), ++ UINT64_C(0xA4F82C9D5AFD1BFD), UINT64_C(0xA3D1E9A4F89D76FE), ++ UINT64_C(0x964F705075702F80), UINT64_C(0x182BF349F56C089D) }, ++ { UINT64_C(0xE205FA8FBE0DA6E1), UINT64_C(0x32905EB90A40F8F3), ++ UINT64_C(0x331A1004356D4395), UINT64_C(0x58B78901FDBBDFDE), ++ UINT64_C(0xA52A15979BA00E71), UINT64_C(0xE0092E1F55497A30) } }, ++ { { UINT64_C(0x5562A85670EE8F39), UINT64_C(0x86B0C11764E52A9C), ++ UINT64_C(0xC19F317409C75B8C), UINT64_C(0x21C7CC3124923F80), ++ UINT64_C(0xE63FE47F8F5B291E), UINT64_C(0x3D6D3C050DC08B05) }, ++ { UINT64_C(0x58AE455EEE0C39A1), UINT64_C(0x78BEA4310AD97942), ++ UINT64_C(0x42C7C97F3EE3989C), UINT64_C(0xC1B03AF5F38759AE), ++ UINT64_C(0x1A673C75BCF46899), UINT64_C(0x4831B7D38D508C7D) } }, ++ { { UINT64_C(0x76512D1BC552E354), UINT64_C(0x2B7EB6DF273020FD), ++ UINT64_C(0xD1C73AA8025A5F25), UINT64_C(0x2ABA19295CBD2A40), ++ UINT64_C(0xB53CADC3C88D61C6), UINT64_C(0x7E66A95E098290F3) }, ++ { UINT64_C(0x72800ECBAF4C5073), UINT64_C(0x81F2725E9DC63FAF), ++ UINT64_C(0x14BF92A7282BA9D1), UINT64_C(0x90629672BD5F1BB2), ++ UINT64_C(0x362F68EBA97C6C96), UINT64_C(0xB1D3BB8B7EA9D601) } }, ++ { { UINT64_C(0x73878F7FA9C94429), UINT64_C(0xB35C3BC8456CA6D8), ++ UINT64_C(0xD96F0B3CF721923A), UINT64_C(0x28D8F06CE6D44FA1), ++ UINT64_C(0x94EFDCDCD5CD671A), UINT64_C(0x0299AB933F97D481) }, ++ { UINT64_C(0xB7CED6EA2FD1D324), UINT64_C(0xBD6832087E932EC2), ++ UINT64_C(0x24ED31FBCB755A6E), UINT64_C(0xA636098EE48781D2), ++ UINT64_C(0x8687C63CF0A4F297), UINT64_C(0xBB52344007478526) } }, ++ { { UINT64_C(0x2E5F741934124B56), UINT64_C(0x1F223AE14B3F02CA), ++ UINT64_C(0x6345B427E8336C7E), UINT64_C(0x92123E16F5D0E3D0), ++ UINT64_C(0xDAF0D14D45E79F3A), UINT64_C(0x6ACA67656F3BD0C6) }, ++ { UINT64_C(0xF6169FAB403813F4), UINT64_C(0x31DC39C0334A4C59), ++ UINT64_C(0x74C46753D589866D), UINT64_C(0x5741511D984C6A5D), ++ UINT64_C(0xF263128797FED2D3), UINT64_C(0x5687CA1B11614886) } }, ++ { { UINT64_C(0x076D902A33836D4B), UINT64_C(0xEC6C5C4324AFB557), ++ UINT64_C(0xA0FE2D1CA0516A0F), UINT64_C(0x6FB8D73700D22ECC), ++ UINT64_C(0xF1DE9077DAF1D7B3), UINT64_C(0xE4695F77D4C0C1EB) }, ++ { UINT64_C(0x5F0FD8A8B4375573), UINT64_C(0x762383595E50944F), ++ UINT64_C(0x65EA2F28635CD76F), UINT64_C(0x0854776925FDE7B0), ++ UINT64_C(0xB2345A2E51944304), UINT64_C(0x86EFA2F7A16C980D) } }, ++ { { UINT64_C(0x4CCBE2D0BF4D1D63), UINT64_C(0x32E33401397366D5), ++ UINT64_C(0xC83AFDDE71BDA2CE), UINT64_C(0x8DACE2AC478ED9E6), ++ UINT64_C(0x3AC6A559763FDD9E), UINT64_C(0x0FFDB04CB398558F) }, ++ { UINT64_C(0x6C1B99B2AFB9D6B8), UINT64_C(0x572BA39C27F815DD), ++ UINT64_C(0x9DE73EE70DBCF842), UINT64_C(0x2A3ED58929267B88), ++ UINT64_C(0xD46A7FD315EBBBB3), UINT64_C(0xD1D01863E29400C7) } }, ++ { { UINT64_C(0x8FB101D1E1F89EC5), UINT64_C(0xB87A1F53F8508042), ++ UINT64_C(0x28C8DB240ED7BEEF), UINT64_C(0x3940F845ACE8660A), ++ UINT64_C(0x4EACB619C6D453FD), UINT64_C(0x2E044C982BAD6160) }, ++ { UINT64_C(0x8792854880B16C02), UINT64_C(0xF0D4BEB3C0A9EB64), ++ UINT64_C(0xD785B4AFC183C195), UINT64_C(0x23AAB0E65E6C46EA), ++ UINT64_C(0x30F7E104A930FECA), UINT64_C(0x6A1A7B8BD55C10FB) } }, ++ { { UINT64_C(0xDA74EAEBDBFED1AA), UINT64_C(0xC8A59223DF0B025C), ++ UINT64_C(0x7EF7DC85D5B627F7), UINT64_C(0x02A13AE1197D7624), ++ UINT64_C(0x119E9BE12F785A9B), UINT64_C(0xC0B7572F00D6B219) }, ++ { UINT64_C(0x9B1E51266D4CAF30), UINT64_C(0xA16A51170A840BD1), ++ UINT64_C(0x5BE17B910E9CCF43), UINT64_C(0x5BDBEDDD69CF2C9C), ++ UINT64_C(0x9FFBFBCF4CF4F289), UINT64_C(0xE1A621836C355CE9) } }, ++ { { UINT64_C(0x056199D9A7B2FCCF), UINT64_C(0x51F2E7B6CE1D784E), ++ UINT64_C(0xA1D09C47339E2FF0), UINT64_C(0xC8E64890B836D0A9), ++ UINT64_C(0x2F781DCBC0D07EBE), UINT64_C(0x5CF3C2AD3ACF934C) }, ++ { UINT64_C(0xE55DB190A17E26AE), UINT64_C(0xC9C61E1F91245513), ++ UINT64_C(0x83D7E6CF61998C15), UINT64_C(0x4DB33C85E41D38E3), ++ UINT64_C(0x74D5F91DC2FEE43D), UINT64_C(0x7EBBDB4536BBC826) } }, ++ { { UINT64_C(0xE20EC7E9CB655A9D), UINT64_C(0x4977EB925C47D421), ++ UINT64_C(0xA237E12C3B9D72FA), UINT64_C(0xCAAEDBC1CBF7B145), ++ UINT64_C(0x5200F5B23B77AAA3), UINT64_C(0x32EDED55BDBE5380) }, ++ { UINT64_C(0x74E38A40E7C9B80A), UINT64_C(0x3A3F0CF8AB6DE911), ++ UINT64_C(0x56DCDD7AAD16AAF0), UINT64_C(0x3D2924498E861D5E), ++ UINT64_C(0xD6C61878985733E2), UINT64_C(0x2401FE7D6AA6CD5B) } }, ++ { { UINT64_C(0xABB3DC75B42E3686), UINT64_C(0xAE712419B4C57E61), ++ UINT64_C(0x2C565F72B21B009B), UINT64_C(0xA5F1DA2E710C3699), ++ UINT64_C(0x771099A0A5EBA59A), UINT64_C(0x4DA88F4AC10017A0) }, ++ { UINT64_C(0x987FFFD31927B56D), UINT64_C(0xB98CB8ECC4E33478), ++ UINT64_C(0xB224A971C2248166), UINT64_C(0x5470F554DE1DC794), ++ UINT64_C(0xD747CC24E31FF983), UINT64_C(0xB91745E9B5B22DAE) } }, ++ { { UINT64_C(0x6CCBFED072F34420), UINT64_C(0x95045E4DA53039D2), ++ UINT64_C(0x3B6C11545A793944), UINT64_C(0xAA114145DDB6B799), ++ UINT64_C(0xABC15CA4252B7637), UINT64_C(0x5745A35BA5744634) }, ++ { UINT64_C(0x05DC6BDEDA596FC0), UINT64_C(0xCD52C18CA8020881), ++ UINT64_C(0x03FA9F47D296BAD0), UINT64_C(0xD8E2C1297268E139), ++ UINT64_C(0x58C1A98D9EC450B0), UINT64_C(0x909638DADE48B20D) } }, ++ { { UINT64_C(0x7AFC30D49B7F8311), UINT64_C(0x82A0042242368EA3), ++ UINT64_C(0xBFF951986F5F9865), UINT64_C(0x9B24F612FC0A070F), ++ UINT64_C(0x22C06CF2620F489D), UINT64_C(0x3C7ED052780F7DBB) }, ++ { UINT64_C(0xDB87AB1834DAFE9B), UINT64_C(0x20C03B409C4BBCA1), ++ UINT64_C(0x5D718CF059A42341), UINT64_C(0x9863170669E84538), ++ UINT64_C(0x5557192BD27D64E1), UINT64_C(0x08B4EC52DA822766) } }, ++ { { UINT64_C(0xB2D986F6D66C1A59), UINT64_C(0x927DEB1678E0E423), ++ UINT64_C(0x9E673CDE49C3DEDC), UINT64_C(0xFA362D84F7ECB6CF), ++ UINT64_C(0x078E5F401BA17340), UINT64_C(0x934CA5D11F4E489C) }, ++ { UINT64_C(0xC03C073164EEF493), UINT64_C(0x631A353BD7931A7E), ++ UINT64_C(0x8E7CC3BB65DD74F1), UINT64_C(0xD55864C5702676A5), ++ UINT64_C(0x6D306AC4439F04BD), UINT64_C(0x58544F672BAFED57) } }, ++ }, ++ { ++ { { UINT64_C(0xB083BA6AEC074AEA), UINT64_C(0x46FAC5EF7F0B505B), ++ UINT64_C(0x95367A21FC82DC03), UINT64_C(0x227BE26A9D3679D8), ++ UINT64_C(0xC70F6D6C7E9724C0), UINT64_C(0xCD68C757F9EBEC0F) }, ++ { UINT64_C(0x29DDE03E8FF321B2), UINT64_C(0xF84AD7BB031939DC), ++ UINT64_C(0xDAF590C90F602F4B), UINT64_C(0x17C5288849722BC4), ++ UINT64_C(0xA8DF99F0089B22B6), UINT64_C(0xC21BC5D4E59B9B90) } }, ++ { { UINT64_C(0x4936C6A08A31973F), UINT64_C(0x54D442FA83B8C205), ++ UINT64_C(0x03AEE8B45714F2C6), UINT64_C(0x139BD6923F5AC25A), ++ UINT64_C(0x6A2E42BAB5B33794), UINT64_C(0x50FA11643FF7BBA9) }, ++ { UINT64_C(0xB61D8643F7E2C099), UINT64_C(0x2366C993BD5C6637), ++ UINT64_C(0x62110E1472EB77FA), UINT64_C(0x3D5B96F13B99C635), ++ UINT64_C(0x956ECF64F674C9F2), UINT64_C(0xC56F7E51EF2BA250) } }, ++ { { UINT64_C(0x246FFCB6FF602C1B), UINT64_C(0x1E1A1D746E1258E0), ++ UINT64_C(0xB4B43AE2250E6676), UINT64_C(0x95C1B5F0924CE5FA), ++ UINT64_C(0x2555795BEBD8C776), UINT64_C(0x4C1E03DCACD9D9D0) }, ++ { UINT64_C(0xE1D74AA69CE90C61), UINT64_C(0xA88C0769A9C4B9F9), ++ UINT64_C(0xDF74DF2795AF56DE), UINT64_C(0x24B10C5FB331B6F4), ++ UINT64_C(0xB0A6DF9A6559E137), UINT64_C(0x6ACC1B8FC06637F2) } }, ++ { { UINT64_C(0xBD8C086834B4E381), UINT64_C(0x278CACC730DFF271), ++ UINT64_C(0x87ED12DE02459389), UINT64_C(0x3F7D98FFDEF840B6), ++ UINT64_C(0x71EEE0CB5F0B56E1), UINT64_C(0x462B5C9BD8D9BE87) }, ++ { UINT64_C(0xE6B50B5A98094C0F), UINT64_C(0x26F3B274508C67CE), ++ UINT64_C(0x418B1BD17CB1F992), UINT64_C(0x607818ED4FF11827), ++ UINT64_C(0xE630D93A9B042C63), UINT64_C(0x38B9EFF38C779AE3) } }, ++ { { UINT64_C(0xE8767D36729C5431), UINT64_C(0xA8BD07C0BB94642C), ++ UINT64_C(0x0C11FC8E58F2E5B2), UINT64_C(0xD8912D48547533FE), ++ UINT64_C(0xAAE14F5E230D91FB), UINT64_C(0xC122051A676DFBA0) }, ++ { UINT64_C(0x9ED4501F5EA93078), UINT64_C(0x2758515CBD4BEE0A), ++ UINT64_C(0x97733C6C94D21F52), UINT64_C(0x139BCD6D4AD306A2), ++ UINT64_C(0x0AAECBDC298123CC), UINT64_C(0x102B8A311CB7C7C9) } }, ++ { { UINT64_C(0x22A28E59FAF46675), UINT64_C(0x1075730810A31E7D), ++ UINT64_C(0xC7EEAC842B4C2F4F), UINT64_C(0xBA370148B5EF5184), ++ UINT64_C(0x4A5A28668732E055), UINT64_C(0x14B8DCDCB887C36F) }, ++ { UINT64_C(0xDBA8C85C433F093D), UINT64_C(0x73DF549D1C9A201C), ++ UINT64_C(0x69AA0D7B70F927D8), UINT64_C(0xFA3A8685D7D2493A), ++ UINT64_C(0x6F48A2550A7F4013), UINT64_C(0xD20C8BF9DD393067) } }, ++ { { UINT64_C(0x4EC874EA81625E78), UINT64_C(0x8B8D8B5A3FBE9267), ++ UINT64_C(0xA3D9D1649421EC2F), UINT64_C(0x490E92D9880EA295), ++ UINT64_C(0x745D1EDCD8F3B6DA), UINT64_C(0x0116628B8F18BA03) }, ++ { UINT64_C(0x0FF6BCE0834EADCE), UINT64_C(0x464697F2000827F7), ++ UINT64_C(0x08DCCF84498D724E), UINT64_C(0x7896D3651E88304C), ++ UINT64_C(0xE63EBCCE135E3622), UINT64_C(0xFB942E8EDC007521) } }, ++ { { UINT64_C(0xBB155A66A3688621), UINT64_C(0xED2FD7CDF91B52A3), ++ UINT64_C(0x52798F5DEA20CB88), UINT64_C(0x069CE105373F7DD8), ++ UINT64_C(0xF9392EC78CA78F6B), UINT64_C(0xB3013E256B335169) }, ++ { UINT64_C(0x1D92F8006B11715C), UINT64_C(0xADD4050EFF9DC464), ++ UINT64_C(0x2AC226598465B84A), UINT64_C(0x2729D646465B2BD6), ++ UINT64_C(0x6202344AE4EFF9DD), UINT64_C(0x51F3198FCD9B90B9) } }, ++ { { UINT64_C(0x17CE54EFE5F0AE1D), UINT64_C(0x984E8204B09852AF), ++ UINT64_C(0x3365B37AC4B27A71), UINT64_C(0x720E3152A00E0A9C), ++ UINT64_C(0x3692F70D925BD606), UINT64_C(0xBE6E699D7BC7E9AB) }, ++ { UINT64_C(0xD75C041F4C89A3C0), UINT64_C(0x8B9F592D8DC100C0), ++ UINT64_C(0x30750F3AAD228F71), UINT64_C(0x1B9ECF84E8B17A11), ++ UINT64_C(0xDF2025620FBFA8A2), UINT64_C(0x45C811FCAA1B6D67) } }, ++ { { UINT64_C(0xEC5B84B71A5151F8), UINT64_C(0x118E59E8550AB2D2), ++ UINT64_C(0x2CCDEDA4049BD735), UINT64_C(0xC99CBA719CD62F0F), ++ UINT64_C(0x69B8040A62C9E4F8), UINT64_C(0x16F1A31A110B8283) }, ++ { UINT64_C(0x53F6380298E908A3), UINT64_C(0x308CB6EFD862F9DE), ++ UINT64_C(0xE185DAD8A521A95A), UINT64_C(0x4D8FE9A4097F75CA), ++ UINT64_C(0xD1ECCEC71CA07D53), UINT64_C(0x13DFA1DC0DB07E83) } }, ++ { { UINT64_C(0xDDAF9DC60F591A76), UINT64_C(0xE1A6D7CC1685F412), ++ UINT64_C(0x153DE557002B6E8D), UINT64_C(0x730C38BCC6DA37D9), ++ UINT64_C(0xAE1806220914B597), UINT64_C(0x84F98103DD8C3A0A) }, ++ { UINT64_C(0x369C53988DA205B0), UINT64_C(0xA3D95B813888A720), ++ UINT64_C(0x1F3F8BBFE10E2806), UINT64_C(0x48663DF54530D1F3), ++ UINT64_C(0x320523B43E377713), UINT64_C(0xE8B1A575C7894814) } }, ++ { { UINT64_C(0x330668712EE8EA07), UINT64_C(0xC6FB4EC560DA199D), ++ UINT64_C(0x33231860F4370A05), UINT64_C(0x7ABECE72C6DE4E26), ++ UINT64_C(0xDE8D4BD8EBDECE7A), UINT64_C(0xC90EE6571CBE93C7) }, ++ { UINT64_C(0x0246751B85AC2509), UINT64_C(0xD0EF142C30380245), ++ UINT64_C(0x086DF9C47C76E39C), UINT64_C(0x68F1304FB789FB56), ++ UINT64_C(0x23E4CB98A5E4BD56), UINT64_C(0x69A4C63C64663DCA) } }, ++ { { UINT64_C(0x6C72B6AF7CB34E63), UINT64_C(0x073C40CD6DFC23FE), ++ UINT64_C(0xBDEEE7A1C936693A), UINT64_C(0xBC858E806EFAD378), ++ UINT64_C(0xEAD719FFF5BE55D4), UINT64_C(0xC8C3238F04552F5F) }, ++ { UINT64_C(0x0952C068928D5784), UINT64_C(0x89DFDF2294C58F2B), ++ UINT64_C(0x332DEDF367502C50), UINT64_C(0x3ED2FA3AAC0BE258), ++ UINT64_C(0xAEDC9B8A7C5C8244), UINT64_C(0x43A761B9DC0EA34F) } }, ++ { { UINT64_C(0x8FD683A2CC5E21A5), UINT64_C(0x5F444C6EFBA2BB68), ++ UINT64_C(0x709ACD0EAF05586D), UINT64_C(0x8EFA54D2DE8FB348), ++ UINT64_C(0x35276B7134CFE29E), UINT64_C(0x77A06FCD941EAC8C) }, ++ { UINT64_C(0x5815792D928322DD), UINT64_C(0x82FF356B67F7CB59), ++ UINT64_C(0x71E40A78304980F4), UINT64_C(0xC8645C273667D021), ++ UINT64_C(0xE785741CAEBAE28F), UINT64_C(0xB2C1BC7553ECAC37) } }, ++ { { UINT64_C(0x633EB24F1D0A74DB), UINT64_C(0xF1F55E56FA752512), ++ UINT64_C(0x75FECA688EFE11DE), UINT64_C(0xC80FD91CE6BF19EC), ++ UINT64_C(0xAD0BAFEC2A14C908), UINT64_C(0x4E1C4ACAADE4031F) }, ++ { UINT64_C(0x463A815B1EB1549A), UINT64_C(0x5AD4253C668F1298), ++ UINT64_C(0x5CB3866238A37151), UINT64_C(0x34BB1CCFAFF16B96), ++ UINT64_C(0xDCA93B13EE731AB0), UINT64_C(0x9F3CE5CC9BE01A0B) } }, ++ { { UINT64_C(0x75DB5723A110D331), UINT64_C(0x67C66F6A7123D89F), ++ UINT64_C(0x27ABBD4B4009D570), UINT64_C(0xACDA6F84C73451BC), ++ UINT64_C(0xE4B9A23905575ACF), UINT64_C(0x3C2DB7EFAB2D3D6C) }, ++ { UINT64_C(0x01CCDD0829115145), UINT64_C(0x9E0602FE57B5814A), ++ UINT64_C(0x679B35C287862838), UINT64_C(0x0277DC4C38AD598D), ++ UINT64_C(0xEF80A2136D896DD4), UINT64_C(0xC8812213E7B9047B) } }, ++ }, ++ { ++ { { UINT64_C(0xAC6DBDF6EDC9CE62), UINT64_C(0xA58F5B440F9C006E), ++ UINT64_C(0x16694DE3DC28E1B0), UINT64_C(0x2D039CF2A6647711), ++ UINT64_C(0xA13BBE6FC5B08B4B), UINT64_C(0xE44DA93010EBD8CE) }, ++ { UINT64_C(0xCD47208719649A16), UINT64_C(0xE18F4E44683E5DF1), ++ UINT64_C(0xB3F66303929BFA28), UINT64_C(0x7C378E43818249BF), ++ UINT64_C(0x76068C80847F7CD9), UINT64_C(0xEE3DB6D1987EBA16) } }, ++ { { UINT64_C(0xCBBD8576C42A2F52), UINT64_C(0x9ACC6F709D2B06BB), ++ UINT64_C(0xE5CB56202E6B72A4), UINT64_C(0x5738EA0E7C024443), ++ UINT64_C(0x8ED06170B55368F3), UINT64_C(0xE54C99BB1AEED44F) }, ++ { UINT64_C(0x3D90A6B2E2E0D8B2), UINT64_C(0x21718977CF7B2856), ++ UINT64_C(0x089093DCC5612AEC), UINT64_C(0xC272EF6F99C1BACC), ++ UINT64_C(0x47DB3B43DC43EAAD), UINT64_C(0x730F30E40832D891) } }, ++ { { UINT64_C(0x9FFE55630C7FECDB), UINT64_C(0x55CC67B6F88101E5), ++ UINT64_C(0x3039F981CBEFA3C7), UINT64_C(0x2AB06883667BFD64), ++ UINT64_C(0x9007A2574340E3DF), UINT64_C(0x1AC3F3FA5A3A49CA) }, ++ { UINT64_C(0x9C7BE629C97E20FD), UINT64_C(0xF61823D3A3DAE003), ++ UINT64_C(0xFFE7FF39E7380DBA), UINT64_C(0x620BB9B59FACC3B8), ++ UINT64_C(0x2DDCB8CD31AE422C), UINT64_C(0x1DE3BCFAD12C3C43) } }, ++ { { UINT64_C(0x8C074946D6E0F9A9), UINT64_C(0x662FA99551C3B05B), ++ UINT64_C(0x6CDAE96904BB2048), UINT64_C(0x6DEC9594D6DC8B60), ++ UINT64_C(0x8D26586954438BBC), UINT64_C(0x88E983E31B0E95A5) }, ++ { UINT64_C(0x8189F11460CBF838), UINT64_C(0x77190697771DC46B), ++ UINT64_C(0x775775A227F8EC1A), UINT64_C(0x7A125240607E3739), ++ UINT64_C(0xAFAE84E74F793E4E), UINT64_C(0x44FA17F35BF5BAF4) } }, ++ { { UINT64_C(0xA21E69A5D03AC439), UINT64_C(0x2069C5FC88AA8094), ++ UINT64_C(0xB041EEA78C08F206), UINT64_C(0x55B9D4613D65B8ED), ++ UINT64_C(0x951EA25CD392C7C4), UINT64_C(0x4B9A1CEC9D166232) }, ++ { UINT64_C(0xC184FCD8FCF931A4), UINT64_C(0xBA59AD44063AD374), ++ UINT64_C(0x1868AD2A1AA9796F), UINT64_C(0x38A34018DFF29832), ++ UINT64_C(0x01FC880103DF8070), UINT64_C(0x1282CCE048DD334A) } }, ++ { { UINT64_C(0x76AA955726D8503C), UINT64_C(0xBE962B636BC3E3D0), ++ UINT64_C(0xF5CA93E597DE8841), UINT64_C(0x1561B05EAF3F2C16), ++ UINT64_C(0x34BE00AAD34BFF98), UINT64_C(0xEA21E6E9D23D2925) }, ++ { UINT64_C(0x55713230394C3AFB), UINT64_C(0xEAF0529BD6C8BECA), ++ UINT64_C(0xFF38A743202B9A11), UINT64_C(0xA13E39FC6D3A398B), ++ UINT64_C(0x8CBD644B86E2615A), UINT64_C(0x92063988191057EC) } }, ++ { { UINT64_C(0x787835CE13F89146), UINT64_C(0x7FCD42CC69446C3F), ++ UINT64_C(0x0DA2AA98840E679D), UINT64_C(0x44F2052318779A1B), ++ UINT64_C(0xE3A3B34FEFBF5935), UINT64_C(0xA5D2CFD0B9947B70) }, ++ { UINT64_C(0xAE2AF4EF27F4E16F), UINT64_C(0xA7FA70D2B9D21322), ++ UINT64_C(0x68084919B3FD566B), UINT64_C(0xF04D71C8D7AAD6AB), ++ UINT64_C(0xDBEA21E410BC4260), UINT64_C(0xAA7DC6658D949B42) } }, ++ { { UINT64_C(0xD8E958A06CCB8213), UINT64_C(0x118D9DB991900B54), ++ UINT64_C(0x09BB9D4985E8CED6), UINT64_C(0x410E9FB524019281), ++ UINT64_C(0x3B31B4E16D74C86E), UINT64_C(0x52BC0252020BB77D) }, ++ { UINT64_C(0x5616A26F27092CE4), UINT64_C(0x67774DBCA08F65CD), ++ UINT64_C(0x560AD494C08BD569), UINT64_C(0xBE26DA36AD498783), ++ UINT64_C(0x0276C8AB7F019C91), UINT64_C(0x09843ADA5248266E) } }, ++ { { UINT64_C(0xA0AE88A77D963CF2), UINT64_C(0x91EF8986D0E84920), ++ UINT64_C(0xC7EFE344F8C58104), UINT64_C(0x0A25D9FDECA20773), ++ UINT64_C(0x9D989FAA00D8F1D5), UINT64_C(0x4204C8CEC8B06264) }, ++ { UINT64_C(0x717C12E0BE1A2796), UINT64_C(0x1FA4BA8CC190C728), ++ UINT64_C(0xA245CA8D8C8A59BA), UINT64_C(0xE3C374757672B935), ++ UINT64_C(0x083D5E402E4D6375), UINT64_C(0x0B8D5AB35455E16E) } }, ++ { { UINT64_C(0x1DB17DBFEED765D4), UINT64_C(0xBBC9B1BEA5DDB965), ++ UINT64_C(0x1948F76DDFC12ABC), UINT64_C(0x2C2714E5134EF489), ++ UINT64_C(0x60CE2EE8741C600F), UINT64_C(0x32396F22F80E6E63) }, ++ { UINT64_C(0x421DAC7522537F59), UINT64_C(0x58FB73C649475DF5), ++ UINT64_C(0x0ABF28856F18F1C7), UINT64_C(0x364744689A398D16), ++ UINT64_C(0x87A661A7BF673B87), UINT64_C(0x3E80698F73819E17) } }, ++ { { UINT64_C(0xDFE4979353784CC4), UINT64_C(0x4280EAB0486D508F), ++ UINT64_C(0x119593FFE534F5A4), UINT64_C(0x98AEFADD9F63242F), ++ UINT64_C(0x9AE6A24AC4829CAE), UINT64_C(0xF2373CA558E8BA80) }, ++ { UINT64_C(0x4017AF7E51765FB3), UINT64_C(0xD1E40F7CAF4AEC4B), ++ UINT64_C(0x87372C7A0898E3BC), UINT64_C(0x688982B285452CA9), ++ UINT64_C(0x71E0B4BFB1E50BCA), UINT64_C(0x21FD2DBFF70E714A) } }, ++ { { UINT64_C(0xEE6E8820FB78DDAC), UINT64_C(0x0BAED29C063892CD), ++ UINT64_C(0x5F33049C28C0588D), UINT64_C(0x90C2515E18DBC432), ++ UINT64_C(0xB8A1B1433B4CB0BD), UINT64_C(0x0AB5C0C968103043) }, ++ { UINT64_C(0xF3788FA04005EC40), UINT64_C(0x82571C99039EE115), ++ UINT64_C(0xEE8FCED593260BED), UINT64_C(0x5A9BAF7910836D18), ++ UINT64_C(0x7C258B09C46AA4F6), UINT64_C(0x46ECC5E837F53D31) } }, ++ { { UINT64_C(0xFA32C0DCBFE0DD98), UINT64_C(0x66EFAFC4962B1066), ++ UINT64_C(0xBA81D33E64BDF5EB), UINT64_C(0x36C28536FC7FC512), ++ UINT64_C(0x0C95176BE0B4FA97), UINT64_C(0x47DDE29B3B9BC64A) }, ++ { UINT64_C(0x08D986FD5C173B36), UINT64_C(0x46D84B526CF3F28C), ++ UINT64_C(0x6F6ED6C3F026BDB9), UINT64_C(0xAC90668B68206DC5), ++ UINT64_C(0xE8ED5D98ECBE4E70), UINT64_C(0xCFFF61DDDC1A6974) } }, ++ { { UINT64_C(0xFF5C3A2977B1A5C1), UINT64_C(0x10C27E4A0DDF995D), ++ UINT64_C(0xCB745F77E23363E3), UINT64_C(0xD765DF6F32F399A3), ++ UINT64_C(0xF0CA0C2F8A99E109), UINT64_C(0xC3A6BFB71E025CA0) }, ++ { UINT64_C(0x830B2C0A4F9D9FA5), UINT64_C(0xAE914CACBD1A84E5), ++ UINT64_C(0x30B35ED8A4FEBCC1), UINT64_C(0xCB902B4684CFBF2E), ++ UINT64_C(0x0BD4762825FC6375), UINT64_C(0xA858A53C85509D04) } }, ++ { { UINT64_C(0x8B995D0C552E0A3F), UINT64_C(0xEDBD4E9417BE9FF7), ++ UINT64_C(0x3432E83995085178), UINT64_C(0x0FE5C18180C256F5), ++ UINT64_C(0x05A64EA8EBF9597C), UINT64_C(0x6ED44BB13F80371F) }, ++ { UINT64_C(0x6A29A05EFE4C12EE), UINT64_C(0x3E436A43E0BB83B3), ++ UINT64_C(0x38365D9A74D72921), UINT64_C(0x3F5EE823C38E1ED7), ++ UINT64_C(0x09A53213E8FA063F), UINT64_C(0x1E7FE47AB435E713) } }, ++ { { UINT64_C(0xE4D9BC94FDDD17F3), UINT64_C(0xC74B8FEDC1016C20), ++ UINT64_C(0x095DE39BB49C060E), UINT64_C(0xDBCC67958AC0DF00), ++ UINT64_C(0x4CF6BAEB1C34F4DF), UINT64_C(0x72C55C21E8390170) }, ++ { UINT64_C(0x4F17BFD2F6C48E79), UINT64_C(0x18BF4DA0017A80BA), ++ UINT64_C(0xCF51D829BCF4B138), UINT64_C(0x598AEE5FF48F8B0D), ++ UINT64_C(0x83FAEE5620F10809), UINT64_C(0x4615D4DC779F0850) } }, ++ }, ++ { ++ { { UINT64_C(0x22313DEE5852B59B), UINT64_C(0x6F56C8E8B6A0B37F), ++ UINT64_C(0x43D6EEAEA76EC380), UINT64_C(0xA16551360275AD36), ++ UINT64_C(0xE5C1B65ADF095BDA), UINT64_C(0xBD1FFA8D367C44B0) }, ++ { UINT64_C(0xE2B419C26B48AF2B), UINT64_C(0x57BBBD973DA194C8), ++ UINT64_C(0xB5FBE51FA2BAFF05), UINT64_C(0xA0594D706269B5D0), ++ UINT64_C(0x0B07B70523E8D667), UINT64_C(0xAE1976B563E016E7) } }, ++ { { UINT64_C(0x2FDE4893FBECAAAE), UINT64_C(0x444346DE30332229), ++ UINT64_C(0x157B8A5B09456ED5), UINT64_C(0x73606A7925797C6C), ++ UINT64_C(0xA9D0F47C33C14C06), UINT64_C(0x7BC8962CFAF971CA) }, ++ { UINT64_C(0x6E763C5165909DFD), UINT64_C(0x1BBBE41B14A9BF42), ++ UINT64_C(0xD95B7ECBC49E9EFC), UINT64_C(0x0C317927B38F2B59), ++ UINT64_C(0x97912B53B3C397DB), UINT64_C(0xCB3879AA45C7ABC7) } }, ++ { { UINT64_C(0xCD81BDCF24359B81), UINT64_C(0x6FD326E2DB4C321C), ++ UINT64_C(0x4CB0228BF8EBE39C), UINT64_C(0x496A9DCEB2CDD852), ++ UINT64_C(0x0F115A1AD0E9B3AF), UINT64_C(0xAA08BF36D8EEEF8A) }, ++ { UINT64_C(0x5232A51506E5E739), UINT64_C(0x21FAE9D58407A551), ++ UINT64_C(0x289D18B08994B4E8), UINT64_C(0xB4E346A809097A52), ++ UINT64_C(0xC641510F324621D0), UINT64_C(0xC567FD4A95A41AB8) } }, ++ { { UINT64_C(0x261578C7D57C8DE9), UINT64_C(0xB9BC491F3836C5C8), ++ UINT64_C(0x993266B414C8038F), UINT64_C(0xBACAD755FAA7CC39), ++ UINT64_C(0x418C4DEFD69B7E27), UINT64_C(0x53FDC5CDAE751533) }, ++ { UINT64_C(0x6F3BD329C3EEA63A), UINT64_C(0xA7A22091E53DD29E), ++ UINT64_C(0xB7164F73DC4C54EC), UINT64_C(0xCA66290D44D3D74E), ++ UINT64_C(0xF77C62424C9EA511), UINT64_C(0x34337F551F714C49) } }, ++ { { UINT64_C(0x5ED2B216A64B6C4B), UINT64_C(0x1C38794F3AAE640D), ++ UINT64_C(0x30BBAEE08905794F), UINT64_C(0x0D9EE41EC8699CFB), ++ UINT64_C(0xAF38DAF2CF7B7C29), UINT64_C(0x0D6A05CA43E53513) }, ++ { UINT64_C(0xBE96C6442606AB56), UINT64_C(0x13E7A072E9EB9734), ++ UINT64_C(0xF96694455FF50CD7), UINT64_C(0x68EF26B547DA6F1D), ++ UINT64_C(0xF002873823687CB7), UINT64_C(0x5ED9C8766217C1CE) } }, ++ { { UINT64_C(0x423BA5130A3A9691), UINT64_C(0xF421B1E7B3179296), ++ UINT64_C(0x6B51BCDB1A871E1B), UINT64_C(0x6E3BB5B5464E4300), ++ UINT64_C(0x24171E2EFC6C54CC), UINT64_C(0xA9DFA947D3E58DC2) }, ++ { UINT64_C(0x175B33099DE9CFA7), UINT64_C(0x707B25292D1015DA), ++ UINT64_C(0xCBB95F17993EA65A), UINT64_C(0x935150630447450D), ++ UINT64_C(0x0F47B2051B2753C9), UINT64_C(0x4A0BAB14E7D427CF) } }, ++ { { UINT64_C(0xA39DEF39B5AA7CA1), UINT64_C(0x591CB173C47C33DF), ++ UINT64_C(0xA09DAC796BBAB872), UINT64_C(0x3EF9D7CF7208BA2F), ++ UINT64_C(0x3CC189317A0A34FC), UINT64_C(0xAE31C62BBCC3380F) }, ++ { UINT64_C(0xD72A67940287C0B4), UINT64_C(0x3373382C68E334F1), ++ UINT64_C(0xD0310CA8BD20C6A6), UINT64_C(0xA2734B8742C033FD), ++ UINT64_C(0xA5D390F18DCE4509), UINT64_C(0xFC84E74B3E1AFCB5) } }, ++ { { UINT64_C(0xB028334DF2CD8A9C), UINT64_C(0xB8719291570F76F6), ++ UINT64_C(0x662A386E01065A2D), UINT64_C(0xDF1634CB53D940AE), ++ UINT64_C(0x625A7B838F5B41F9), UINT64_C(0xA033E4FEEE6AA1B4) }, ++ { UINT64_C(0x51E9D4631E42BABB), UINT64_C(0x660BC2E40D388468), ++ UINT64_C(0x3F702189FCBB114A), UINT64_C(0x6B46FE35B414CA78), ++ UINT64_C(0x328F6CF24A57316B), UINT64_C(0x917423B5381AD156) } }, ++ { { UINT64_C(0xAC19306E5373A607), UINT64_C(0x471DF8E3191D0969), ++ UINT64_C(0x380ADE35B9720D83), UINT64_C(0x7423FDF548F1FD5C), ++ UINT64_C(0x8B090C9F49CABC95), UINT64_C(0xB768E8CDC9842F2F) }, ++ { UINT64_C(0x399F456DE56162D6), UINT64_C(0xBB6BA2404F326791), ++ UINT64_C(0x8F4FBA3B342590BE), UINT64_C(0x053986B93DFB6B3E), ++ UINT64_C(0xBB6739F1190C7425), UINT64_C(0x32D4A55332F7E95F) } }, ++ { { UINT64_C(0x0205A0EC0DDBFB21), UINT64_C(0x3010327D33AC3407), ++ UINT64_C(0xCF2F4DB33348999B), UINT64_C(0x660DB9F41551604A), ++ UINT64_C(0xC346C69A5D38D335), UINT64_C(0x64AAB3D338882479) }, ++ { UINT64_C(0xA096B5E76AE44403), UINT64_C(0x6B4C9571645F76CD), ++ UINT64_C(0x72E1CD5F4711120F), UINT64_C(0x93EC42ACF27CC3E1), ++ UINT64_C(0x2D18D004A72ABB12), UINT64_C(0x232E9568C9841A04) } }, ++ { { UINT64_C(0xFF01DB223CC7F908), UINT64_C(0x9F214F8FD13CDD3B), ++ UINT64_C(0x38DADBB7E0B014B5), UINT64_C(0x2C548CCC94245C95), ++ UINT64_C(0x714BE331809AFCE3), UINT64_C(0xBCC644109BFE957E) }, ++ { UINT64_C(0xC21C2D215B957F80), UINT64_C(0xBA2D4FDCBB8A4C42), ++ UINT64_C(0xFA6CD4AF74817CEC), UINT64_C(0x9E7FB523C528EAD6), ++ UINT64_C(0xAED781FF7714B10E), UINT64_C(0xB52BB59294F04455) } }, ++ { { UINT64_C(0xA578BD69868CC68B), UINT64_C(0xA40FDC8D603F2C08), ++ UINT64_C(0x53D79BD12D81B042), UINT64_C(0x1B136AF3A7587EAB), ++ UINT64_C(0x1ED4F939868A16DB), UINT64_C(0x775A61FBD0B98273) }, ++ { UINT64_C(0xBA5C12A6E56BEF8C), UINT64_C(0xF926CE52DDDC8595), ++ UINT64_C(0xA13F5C8F586FE1F8), UINT64_C(0xEAC9F7F2060DBB54), ++ UINT64_C(0x70C0AC3A51AF4342), UINT64_C(0xC16E303C79CDA450) } }, ++ { { UINT64_C(0xD0DADD6C8113F4EA), UINT64_C(0xF14E392207BDF09F), ++ UINT64_C(0x3FE5E9C2AA7D877C), UINT64_C(0x9EA95C1948779264), ++ UINT64_C(0xE93F65A74FCB8344), UINT64_C(0x9F40837E76D925A4) }, ++ { UINT64_C(0x0EA6DA3F8271FFC7), UINT64_C(0x557FA529CC8F9B19), ++ UINT64_C(0x2613DBF178E6DDFD), UINT64_C(0x7A7523B836B1E954), ++ UINT64_C(0x20EB3168406A87FB), UINT64_C(0x64C21C1403ABA56A) } }, ++ { { UINT64_C(0xE86C9C2DC032DD5F), UINT64_C(0x158CEB8E86F16A21), ++ UINT64_C(0x0279FF5368326AF1), UINT64_C(0x1FFE2E2B59F12BA5), ++ UINT64_C(0xD75A46DB86826D45), UINT64_C(0xE19B48411E33E6AC) }, ++ { UINT64_C(0x5F0CC5240E52991C), UINT64_C(0x645871F98B116286), ++ UINT64_C(0xAB3B4B1EFCAEC5D3), UINT64_C(0x994C8DF051D0F698), ++ UINT64_C(0x06F890AFE5D13040), UINT64_C(0x72D9DC235F96C7C2) } }, ++ { { UINT64_C(0x7C018DEEE7886A80), UINT64_C(0xFA2093308786E4A3), ++ UINT64_C(0xCEC8E2A3A4415CA1), UINT64_C(0x5C736FC1CC83CC60), ++ UINT64_C(0xFEF9788CF00C259F), UINT64_C(0xED5C01CBDD29A6AD) }, ++ { UINT64_C(0x87834A033E20825B), UINT64_C(0x13B1239D123F9358), ++ UINT64_C(0x7E8869D0FBC286C1), UINT64_C(0xC4AB5AA324CE8609), ++ UINT64_C(0x38716BEEB6349208), UINT64_C(0x0BDF4F99B322AE21) } }, ++ { { UINT64_C(0x6B97A2BF53E3494B), UINT64_C(0xA8AA05C570F7A13E), ++ UINT64_C(0x209709C2F1305B51), UINT64_C(0x57B31888DAB76F2C), ++ UINT64_C(0x75B2ECD7AA2A406A), UINT64_C(0x88801A00A35374A4) }, ++ { UINT64_C(0xE1458D1C45C0471B), UINT64_C(0x5760E306322C1AB0), ++ UINT64_C(0x789A0AF1AD6AB0A6), UINT64_C(0x74398DE1F458B9CE), ++ UINT64_C(0x1652FF9F32E0C65F), UINT64_C(0xFAF1F9D5FFFB3A52) } }, ++ }, ++ { ++ { { UINT64_C(0xA05C751CD1D1B007), UINT64_C(0x016C213B0213E478), ++ UINT64_C(0x9C56E26CF4C98FEE), UINT64_C(0x6084F8B9E7B3A7C7), ++ UINT64_C(0xA0B042F6DECC1646), UINT64_C(0x4A6F3C1AFBF3A0BC) }, ++ { UINT64_C(0x94524C2C51C9F909), UINT64_C(0xF3B3AD403A6D3748), ++ UINT64_C(0x18792D6E7CE1F9F5), UINT64_C(0x8EBC2FD7FC0C34FA), ++ UINT64_C(0x032A9F41780A1693), UINT64_C(0x34F9801E56A60019) } }, ++ { { UINT64_C(0xB398290CF0DB3751), UINT64_C(0x01170580BA42C976), ++ UINT64_C(0x3E71AA2956560B89), UINT64_C(0x80817AAC50E6647B), ++ UINT64_C(0x35C833ADA0BE42DA), UINT64_C(0xFA3C6148F1BABA4E) }, ++ { UINT64_C(0xC57BE645CD8F6253), UINT64_C(0x77CEE46BC657AD0D), ++ UINT64_C(0x830077310DEFD908), UINT64_C(0x92FE9BCE899CBA56), ++ UINT64_C(0x48450EC4BCEFFB5A), UINT64_C(0xE615148DF2F5F4BF) } }, ++ { { UINT64_C(0xF55EDABB90B86166), UINT64_C(0x27F7D784075430A2), ++ UINT64_C(0xF53E822B9BF17161), UINT64_C(0x4A5B3B93AFE808DC), ++ UINT64_C(0x590BBBDED7272F55), UINT64_C(0x233D63FAEAEA79A1) }, ++ { UINT64_C(0xD7042BEAFE1EBA07), UINT64_C(0xD2B9AEA010750D7E), ++ UINT64_C(0xD8D1E69031078AA5), UINT64_C(0x9E837F187E37BC8B), ++ UINT64_C(0x9558FF4F85008975), UINT64_C(0x93EDB837421FE867) } }, ++ { { UINT64_C(0xAA6489DF83D55B5A), UINT64_C(0xEA092E4986BF27F7), ++ UINT64_C(0x4D8943A95FA2EFEC), UINT64_C(0xC9BAAE53720E1A8C), ++ UINT64_C(0xC055444B95A4F8A3), UINT64_C(0x93BD01E8A7C1206B) }, ++ { UINT64_C(0xD97765B6714A27DF), UINT64_C(0xD622D954193F1B16), ++ UINT64_C(0x115CC35AF1503B15), UINT64_C(0x1DD5359FA9FA21F8), ++ UINT64_C(0x197C32996DFED1F1), UINT64_C(0xDEE8B7C9F77F2679) } }, ++ { { UINT64_C(0x5405179F394FD855), UINT64_C(0xC9D6E24449FDFB33), ++ UINT64_C(0x70EBCAB4BD903393), UINT64_C(0x0D3A3899A2C56780), ++ UINT64_C(0x012C7256683D1A0A), UINT64_C(0xC688FC8880A48F3B) }, ++ { UINT64_C(0x180957546F7DF527), UINT64_C(0x9E339B4B71315D16), ++ UINT64_C(0x90560C28A956BB12), UINT64_C(0x2BECEA60D42EEE8D), ++ UINT64_C(0x82AEB9A750632653), UINT64_C(0xED34353EDFA5CD6A) } }, ++ { { UINT64_C(0x82154D2C91AECCE4), UINT64_C(0x312C60705041887F), ++ UINT64_C(0xECF589F3FB9FBD71), UINT64_C(0x67660A7DB524BDE4), ++ UINT64_C(0xE99B029D724ACF23), UINT64_C(0xDF06E4AF6D1CD891) }, ++ { UINT64_C(0x07806CB580EE304D), UINT64_C(0x0C70BB9F7443A8F8), ++ UINT64_C(0x01EC341408B0830A), UINT64_C(0xFD7B63C35A81510B), ++ UINT64_C(0xE90A0A39453B5F93), UINT64_C(0xAB700F8F9BC71725) } }, ++ { { UINT64_C(0x9401AEC2B9F00793), UINT64_C(0x064EC4F4B997F0BF), ++ UINT64_C(0xDC0CC1FD849240C8), UINT64_C(0x39A75F37B6E92D72), ++ UINT64_C(0xAA43CA5D0224A4AB), UINT64_C(0x9C4D632554614C47) }, ++ { UINT64_C(0x1767366FC6709DA3), UINT64_C(0xA6B482D123479232), ++ UINT64_C(0x54DC6DDC84D63E85), UINT64_C(0x0ACCB5ADC99D3B9E), ++ UINT64_C(0x211716BBE8AA3ABF), UINT64_C(0xD0FE25AD69EC6406) } }, ++ { { UINT64_C(0x0D5C1769DF85C705), UINT64_C(0x7086C93DA409DCD1), ++ UINT64_C(0x9710839D0E8D75D8), UINT64_C(0x17B7DB75EBDD4177), ++ UINT64_C(0xAF69EB58F649A809), UINT64_C(0x6EF19EA28A84E220) }, ++ { UINT64_C(0x36EB5C6665C278B2), UINT64_C(0xD2A1512881EA9D65), ++ UINT64_C(0x4FCBA840769300AD), UINT64_C(0xC2052CCDC8E536E5), ++ UINT64_C(0x9CAEE014AC263B8F), UINT64_C(0x56F7ED7AF9239663) } }, ++ { { UINT64_C(0xF6FA251FAC9E09E1), UINT64_C(0xA3775605955A2853), ++ UINT64_C(0x977B8D21F2A4BD78), UINT64_C(0xF68AA7FF3E096410), ++ UINT64_C(0x01AB055265F88419), UINT64_C(0xC4C8D77EBB93F64E) }, ++ { UINT64_C(0x718251113451FE64), UINT64_C(0xFA0F905B46F9BAF0), ++ UINT64_C(0x79BE3BF3CA49EF1A), UINT64_C(0x831109B26CB02071), ++ UINT64_C(0x765F935FC4DDBFE5), UINT64_C(0x6F99CD1480E5A3BA) } }, ++ { { UINT64_C(0xD2E8DA04234F91FF), UINT64_C(0x4DED4D6D813867AA), ++ UINT64_C(0x3B50175DE0A0D945), UINT64_C(0x55AC74064EB78137), ++ UINT64_C(0xE9FA7F6EE1D47730), UINT64_C(0x2C1715315CBF2176) }, ++ { UINT64_C(0xA521788F2BE7A47D), UINT64_C(0x95B15A273FCF1AB3), ++ UINT64_C(0xAADA6401F28A946A), UINT64_C(0x628B2EF48B4E898B), ++ UINT64_C(0x0E6F46296D6592CC), UINT64_C(0x997C7094A723CADD) } }, ++ { { UINT64_C(0x878BCE116AFE80C6), UINT64_C(0xA89ABC9D007BBA38), ++ UINT64_C(0xB0C1F87BA7CC267F), UINT64_C(0x86D33B9D5104FF04), ++ UINT64_C(0xB0504B1B2EF1BA42), UINT64_C(0x21693048B2827E88) }, ++ { UINT64_C(0x11F1CCD579CFCD14), UINT64_C(0x59C09FFA94AD227E), ++ UINT64_C(0x95A4ADCB3EA91ACF), UINT64_C(0x1346238BB4370BAA), ++ UINT64_C(0xB099D2023E1367B0), UINT64_C(0xCF5BBDE690F23CEA) } }, ++ { { UINT64_C(0x453299BBBCB3BE5E), UINT64_C(0x123C588E38E9FF97), ++ UINT64_C(0x8C115DD9F6A2E521), UINT64_C(0x6E333C11FF7D4B98), ++ UINT64_C(0x9DD061E5DA73E736), UINT64_C(0xC6AB7B3A5CA53056) }, ++ { UINT64_C(0xF1EF3EE35B30A76B), UINT64_C(0xADD6B44A961BA11F), ++ UINT64_C(0x7BB00B752CA6E030), UINT64_C(0x270272E82FE270AD), ++ UINT64_C(0x23BC6F4F241A9239), UINT64_C(0x88581E130BB94A94) } }, ++ { { UINT64_C(0xBD225A6924EEF67F), UINT64_C(0x7CFD96140412CEB7), ++ UINT64_C(0xF6DE167999AC298E), UINT64_C(0xB20FD895ED6C3571), ++ UINT64_C(0x03C73B7861836C56), UINT64_C(0xEE3C3A16ABA6CB34) }, ++ { UINT64_C(0x9E8C56674138408A), UINT64_C(0xEC25FCB12DD6EBDF), ++ UINT64_C(0xC54C33FDDBBDF6E3), UINT64_C(0x93E0913B4A3C9DD4), ++ UINT64_C(0x66D7D13535EDEED4), UINT64_C(0xD29A36C4453FB66E) } }, ++ { { UINT64_C(0x7F192F039F1943AF), UINT64_C(0x6488163F4E0B5FB0), ++ UINT64_C(0x66A45C6953599226), UINT64_C(0x924E2E439AD15A73), ++ UINT64_C(0x8B553DB742A99D76), UINT64_C(0x4BC6B53B0451F521) }, ++ { UINT64_C(0xC029B5EF101F8AD6), UINT64_C(0x6A4DA71CC507EED9), ++ UINT64_C(0x3ADFAEC030BB22F3), UINT64_C(0x81BCAF7AB514F85B), ++ UINT64_C(0x2E1E6EFF5A7E60D3), UINT64_C(0x5270ABC0AE39D42F) } }, ++ { { UINT64_C(0x86D56DEB3901F0F8), UINT64_C(0x1D0BC792EED5F650), ++ UINT64_C(0x1A2DDFD8CA1114A3), UINT64_C(0x94ABF4B1F1DD316D), ++ UINT64_C(0xF72179E43D9F18EF), UINT64_C(0x52A0921E9AA2CABF) }, ++ { UINT64_C(0xECDA9E27A7452883), UINT64_C(0x7E90850AAFD771B4), ++ UINT64_C(0xD40F87EA9CC0465C), UINT64_C(0x8CFCB60A865CDA36), ++ UINT64_C(0x3DBEC2CC7C650942), UINT64_C(0x071A4EE7E718CA9D) } }, ++ { { UINT64_C(0x73C0E4FF276AC5F3), UINT64_C(0xE7BA5A6ABDB97EA1), ++ UINT64_C(0x638CA54EC5808398), UINT64_C(0x8258DC82413855E5), ++ UINT64_C(0x35DDD2E957F07614), UINT64_C(0xF98DD6921DC13BF9) }, ++ { UINT64_C(0x3A4C0088F16DCD84), UINT64_C(0xF192EADD833D83F9), ++ UINT64_C(0x3C26C931A6D61D29), UINT64_C(0x589FDD52DE0AD7A1), ++ UINT64_C(0x7CD83DD20442D37F), UINT64_C(0x1E47E777403ECBFC) } }, ++ }, ++ { ++ { { UINT64_C(0x2AF8ED8170D4D7BC), UINT64_C(0xABC3E15FB632435C), ++ UINT64_C(0x4C0E726F78219356), UINT64_C(0x8C1962A1B87254C4), ++ UINT64_C(0x30796A71C9E7691A), UINT64_C(0xD453EF19A75A12EE) }, ++ { UINT64_C(0x535F42C213AE4964), UINT64_C(0x86831C3C0DA9586A), ++ UINT64_C(0xB7F1EF35E39A7A58), UINT64_C(0xA2789AE2D459B91A), ++ UINT64_C(0xEADBCA7F02FD429D), UINT64_C(0x94F215D465290F57) } }, ++ { { UINT64_C(0x37ED2BE51CFB79AC), UINT64_C(0x801946F3E7AF84C3), ++ UINT64_C(0xB061AD8AE77C2F00), UINT64_C(0xE87E1A9A44DE16A8), ++ UINT64_C(0xDF4F57C87EE490FF), UINT64_C(0x4E793B49005993ED) }, ++ { UINT64_C(0xE1036387BCCB593F), UINT64_C(0xF174941195E09B80), ++ UINT64_C(0x59CB20D15AB42F91), UINT64_C(0xA738A18DAC0FF033), ++ UINT64_C(0xDA501A2E2AC1E7F4), UINT64_C(0x1B67EDA084D8A6E0) } }, ++ { { UINT64_C(0x1D27EFCE1080E90B), UINT64_C(0xA28152463FD01DC6), ++ UINT64_C(0x99A3FB83CAA26D18), UINT64_C(0xD27E6133B82BABBE), ++ UINT64_C(0x61030DFDD783DD60), UINT64_C(0x295A291373C78CB8) }, ++ { UINT64_C(0x8707A2CF68BE6A92), UINT64_C(0xC9C2FB98EEB3474A), ++ UINT64_C(0x7C3FD412A2B176B8), UINT64_C(0xD5B52E2FC7202101), ++ UINT64_C(0x24A63030F0A6D536), UINT64_C(0x05842DE304648EC0) } }, ++ { { UINT64_C(0x67477CDC30577AC9), UINT64_C(0x51DD9775244F92A8), ++ UINT64_C(0x31FD60B9917EEC66), UINT64_C(0xACD95BD4D66C5C1D), ++ UINT64_C(0x2E0551F3BF9508BA), UINT64_C(0x121168E1688CB243) }, ++ { UINT64_C(0x8C0397404540D230), UINT64_C(0xC4ED3CF6009ECDF9), ++ UINT64_C(0x191825E144DB62AF), UINT64_C(0x3EE8ACABC4A030DA), ++ UINT64_C(0x8AB154A894081504), UINT64_C(0x1FE09E4B486C9CD0) } }, ++ { { UINT64_C(0x512F82F9D113450B), UINT64_C(0x5878C9012DBC9197), ++ UINT64_C(0xDB87412BE13F355B), UINT64_C(0x0A0A4A9B935B8A5E), ++ UINT64_C(0x818587BDF25A5351), UINT64_C(0xE807931031E3D9C7) }, ++ { UINT64_C(0x8B1D47C7611BC1B1), UINT64_C(0x51722B5872A823F2), ++ UINT64_C(0x6F97EE8A53B36B3E), UINT64_C(0x6E085AAC946DD453), ++ UINT64_C(0x2EC5057DE65E6533), UINT64_C(0xF82D9D714BB18801) } }, ++ { { UINT64_C(0xAD81FA938BA5AA8E), UINT64_C(0x723E628E8F7AA69E), ++ UINT64_C(0x0BA7C2DEEF35937C), UINT64_C(0x83A43EC56DECFB40), ++ UINT64_C(0xF520F849E60C4F2D), UINT64_C(0x8260E8AE457E3B5E) }, ++ { UINT64_C(0x7CE874F0BF1D9ED7), UINT64_C(0x5FDE35537F1A5466), ++ UINT64_C(0x5A63777C0C162DBB), UINT64_C(0x0FD04F8CDAD87289), ++ UINT64_C(0xCA2D9E0E640761D5), UINT64_C(0x4615CFF838501ADB) } }, ++ { { UINT64_C(0x9422789B110B4A25), UINT64_C(0x5C26779F70AD8CC1), ++ UINT64_C(0x4EE6A748EC4F1E14), UINT64_C(0xFB584A0D5C7AB5E0), ++ UINT64_C(0xED1DCB0BFB21EE66), UINT64_C(0xDBED1F0011C6863C) }, ++ { UINT64_C(0xD2969269B1B1D187), UINT64_C(0xF7D0C3F2AFE964E6), ++ UINT64_C(0xE05EE93F12BB865E), UINT64_C(0x1AFB7BEEED79118E), ++ UINT64_C(0x220AF1380F0FE453), UINT64_C(0x1463AA1A52782AB9) } }, ++ { { UINT64_C(0x7C139D56D7DBE5F9), UINT64_C(0xFC16E6110B83685B), ++ UINT64_C(0xFA723C029018463C), UINT64_C(0xC472458C840BF5D7), ++ UINT64_C(0x4D8093590AF07591), UINT64_C(0x418D88303308DFD9) }, ++ { UINT64_C(0x9B381E040C365AE3), UINT64_C(0x3780BF33F8190FD1), ++ UINT64_C(0x45397418DD03E854), UINT64_C(0xA95D030F4E51E491), ++ UINT64_C(0x87C8C686E3286CEA), UINT64_C(0x01C773BF900B5F83) } }, ++ { { UINT64_C(0xDABE347578673B02), UINT64_C(0x4F0F25CEF6E7395E), ++ UINT64_C(0x3117ABB9D181AD45), UINT64_C(0x4B559F88AA13DE0B), ++ UINT64_C(0xFD8EFE78EA7C9745), UINT64_C(0x080600475DD21682) }, ++ { UINT64_C(0xC0F5DE4BD4C86FFC), UINT64_C(0x4BB14B1EF21AB6A2), ++ UINT64_C(0xACB53A6CF50C1D12), UINT64_C(0x46AAC4505CC9162E), ++ UINT64_C(0x049C51E02DE240B6), UINT64_C(0xBB2DC016E383C3B0) } }, ++ { { UINT64_C(0xA3C56AD28E438C92), UINT64_C(0x7C43F98FB2CEAF1A), ++ UINT64_C(0x397C44F7E2150778), UINT64_C(0x48D17AB771A24131), ++ UINT64_C(0xCC5138631E2ACDA9), UINT64_C(0x2C76A55EF0C9BAC9) }, ++ { UINT64_C(0x4D74CDCE7EA4BB7B), UINT64_C(0x834BD5BFB1B3C2BA), ++ UINT64_C(0x46E2911ECCC310A4), UINT64_C(0xD3DE84AA0FC1BF13), ++ UINT64_C(0x27F2892F80A03AD3), UINT64_C(0x85B476203BD2F08B) } }, ++ { { UINT64_C(0xAB1CB818567AF533), UINT64_C(0x273B4537BAC2705A), ++ UINT64_C(0x133066C422C84AB6), UINT64_C(0xC3590DE64830BFC1), ++ UINT64_C(0xEA2978695E4742D0), UINT64_C(0xF6D8C6944F3164C0) }, ++ { UINT64_C(0x09E85F3DC1249588), UINT64_C(0x6C2BB05D4EC64DF7), ++ UINT64_C(0xD267115E8B78000F), UINT64_C(0x07C5D7AEC7E4A316), ++ UINT64_C(0xCB1187BA4619E5BD), UINT64_C(0x57B1D4EFA43F7EEE) } }, ++ { { UINT64_C(0x3618891FC8176A96), UINT64_C(0x62C4B084E5808B97), ++ UINT64_C(0xDE5585464DD95D6E), UINT64_C(0x27A8133E730B2EA4), ++ UINT64_C(0xE07CEEC36AF318A0), UINT64_C(0x0ACC1286CE24FD2C) }, ++ { UINT64_C(0x8A48FE4ADD4D307C), UINT64_C(0x71A9BA9C18CDE0DA), ++ UINT64_C(0x655E2B66D5D79747), UINT64_C(0x409FE856A79AEDC7), ++ UINT64_C(0xC5A9F244D287E5CF), UINT64_C(0xCCE103844E82EC39) } }, ++ { { UINT64_C(0x00675BA7F25D364C), UINT64_C(0x7A7F162968D36BDF), ++ UINT64_C(0x35EC468AA9E23F29), UINT64_C(0xF797AC502D926E6C), ++ UINT64_C(0x639BA4534B4F4376), UINT64_C(0xD71B430F51FF9519) }, ++ { UINT64_C(0xB8C439EC2CF5635C), UINT64_C(0x0CE4C8D181980393), ++ UINT64_C(0x4C5362A964123B15), UINT64_C(0x6E0421E0FFDCF096), ++ UINT64_C(0x624A855F10D1F914), UINT64_C(0x7D8F3AB7614DCD29) } }, ++ { { UINT64_C(0xD9219ADAB3493CE0), UINT64_C(0x971B243A52F09AE5), ++ UINT64_C(0xC16C9BF8E24E3674), UINT64_C(0x026D408DCE68C7CD), ++ UINT64_C(0xF9B33DD9358209E3), UINT64_C(0x02D0595DF3B2A206) }, ++ { UINT64_C(0xBF99427160D15640), UINT64_C(0x6DA7A04E15B5466A), ++ UINT64_C(0x03AA4ED81CADB50D), UINT64_C(0x1548F029129A4253), ++ UINT64_C(0x41741F7EB842865A), UINT64_C(0x859FE0A4A3F88C98) } }, ++ { { UINT64_C(0x80DE085A05FD7553), UINT64_C(0x4A4AB91EB897566B), ++ UINT64_C(0x33BCD4752F1C173F), UINT64_C(0x4E238896C100C013), ++ UINT64_C(0x1C88500DD614B34B), UINT64_C(0x0401C5F6C3BA9E23) }, ++ { UINT64_C(0x8E8003C4D0AF0DE5), UINT64_C(0x19B1DFB59D0DCBB9), ++ UINT64_C(0x4A3640A9EBEF7AB6), UINT64_C(0xEDAFD65B959B15F6), ++ UINT64_C(0x8092EF7F7FB95821), UINT64_C(0xAB8DD52ECE2E45D1) } }, ++ { { UINT64_C(0xD1F2D6B8B9CFE6BF), UINT64_C(0x6358810B00073F6F), ++ UINT64_C(0x5FCE5993D712106E), UINT64_C(0x5EE6B2711C024C91), ++ UINT64_C(0xD0248FF5453DB663), UINT64_C(0xD6D81CB2ADB835E8) }, ++ { UINT64_C(0x8696CFECFDFCB4C7), UINT64_C(0x696B7FCB53BC9045), ++ UINT64_C(0xAB4D3807DDA56981), UINT64_C(0x2F9980521E4B943B), ++ UINT64_C(0x8AA76ADB166B7F18), UINT64_C(0x6393430152A2D7ED) } }, ++ }, ++ { ++ { { UINT64_C(0xBBCCCE39A368EFF6), UINT64_C(0xD8CAABDF8CEB5C43), ++ UINT64_C(0x9EAE35A5D2252FDA), UINT64_C(0xA8F4F20954E7DD49), ++ UINT64_C(0xA56D72A6295100FD), UINT64_C(0x20FC1FE856767727) }, ++ { UINT64_C(0xBF60B2480BBAA5AB), UINT64_C(0xA4F3CE5A313911F2), ++ UINT64_C(0xC2A67AD4B93DAB9C), UINT64_C(0x18CD0ED022D71F39), ++ UINT64_C(0x04380C425F304DB2), UINT64_C(0x26420CBB6729C821) } }, ++ { { UINT64_C(0x26BD07D6BDFBCAE8), UINT64_C(0x10B5173FDF01A80A), ++ UINT64_C(0xD831C5466798B96C), UINT64_C(0x1D6B41081D3F3859), ++ UINT64_C(0x501D38EC991B9EC7), UINT64_C(0x26319283D78431A9) }, ++ { UINT64_C(0x8B85BAF7118B343C), UINT64_C(0x4696CDDD58DEF7D0), ++ UINT64_C(0xEFC7C1107ACDCF58), UINT64_C(0xD9AF415C848D5842), ++ UINT64_C(0x6B5A06BC0AC7FDAC), UINT64_C(0x7D623E0DA344319B) } }, ++ { { UINT64_C(0x4C0D78060C9D3547), UINT64_C(0x993F048DCF2AED47), ++ UINT64_C(0x5217C453E4B57E22), UINT64_C(0xB4669E35F4172B28), ++ UINT64_C(0x509A3CD049F999F8), UINT64_C(0xD19F863287C69D41) }, ++ { UINT64_C(0xE14D01E84C8FDED0), UINT64_C(0x342880FDEAFD9E1C), ++ UINT64_C(0x0E17BFF270DC2BF0), UINT64_C(0x46560B7BC0186400), ++ UINT64_C(0xE28C7B9C49A4DD34), UINT64_C(0x182119160F325D06) } }, ++ { { UINT64_C(0x46D70888D7E02E18), UINT64_C(0x7C806954D9F11FD9), ++ UINT64_C(0xE4948FCA4FBEA271), UINT64_C(0x7D6C7765BD80A9DF), ++ UINT64_C(0x1B470EA6F3871C71), UINT64_C(0xD62DE2448330A570) }, ++ { UINT64_C(0xDAECDDC1C659C3A7), UINT64_C(0x8621E513077F7AFC), ++ UINT64_C(0x56C7CD84CAEEEF13), UINT64_C(0xC60C910FC685A356), ++ UINT64_C(0xE68BC5C59DD93DDC), UINT64_C(0xD904E89FFEB64895) } }, ++ { { UINT64_C(0x75D874FB8BA7917A), UINT64_C(0x18FA7F53FD043BD4), ++ UINT64_C(0x212A0AD71FC3979E), UINT64_C(0x5703A7D95D6EAC0E), ++ UINT64_C(0x222F7188017DEAD5), UINT64_C(0x1EC687B70F6C1817) }, ++ { UINT64_C(0x23412FC3238BACB6), UINT64_C(0xB85D70E954CED154), ++ UINT64_C(0xD4E06722BDA674D0), UINT64_C(0x3EA5F17836F5A0C2), ++ UINT64_C(0x7E7D79CFF5C6D2CA), UINT64_C(0x1FFF94643DBB3C73) } }, ++ { { UINT64_C(0x916E19D0F163E4A8), UINT64_C(0x1E6740E71489DF17), ++ UINT64_C(0x1EAF9723339F3A47), UINT64_C(0x22F0ED1A124B8DAD), ++ UINT64_C(0x39C9166C49C3DD04), UINT64_C(0x628E7FD4CE1E9ACC) }, ++ { UINT64_C(0x124DDF2740031676), UINT64_C(0x002569391EDDB9BE), ++ UINT64_C(0xD39E25E7D360B0DA), UINT64_C(0x6E3015A84AA6C4C9), ++ UINT64_C(0xC6A2F643623EDA09), UINT64_C(0xBEFF2D1250AA99FB) } }, ++ { { UINT64_C(0x1FEEF7CE93EE8089), UINT64_C(0xC6B180BC252DD7BD), ++ UINT64_C(0xA16FB20B1788F051), UINT64_C(0xD86FD392E046ED39), ++ UINT64_C(0xDA0A36119378CE1D), UINT64_C(0x121EF3E7A5F7A61D) }, ++ { UINT64_C(0x94D2206192D13CAE), UINT64_C(0x5076046A77C72E08), ++ UINT64_C(0xF18BC2337D2308B9), UINT64_C(0x004DB3C517F977B1), ++ UINT64_C(0xD05AE3990471C11D), UINT64_C(0x86A2A55785CD1726) } }, ++ { { UINT64_C(0xB8D9B28672107804), UINT64_C(0xB5A7C4133303B79B), ++ UINT64_C(0x927EEF785FA37DED), UINT64_C(0xA1C5CF1EAD67DABA), ++ UINT64_C(0xAA5E3FB27360E7C7), UINT64_C(0x8354E61A0A0C0993) }, ++ { UINT64_C(0x2EC73AF97F5458CC), UINT64_C(0xDE4CB48848474325), ++ UINT64_C(0x2DD134C77209BC69), UINT64_C(0xB70C5567451A2ABE), ++ UINT64_C(0x2CD1B2008E293018), UINT64_C(0x15F8DA7AD33C0D72) } }, ++ { { UINT64_C(0x5DC386D0A8790657), UINT64_C(0xA4FDF676BC4D88BB), ++ UINT64_C(0x1B21F38F48BC6C49), UINT64_C(0xCDCC7FAA543A7003), ++ UINT64_C(0xEA97E7AA8C9CF72C), UINT64_C(0xA6B883F450D938A8) }, ++ { UINT64_C(0x51936F3AA3A10F27), UINT64_C(0x0170785FDECC76BF), ++ UINT64_C(0x7539ECE1908C578A), UINT64_C(0x5D9C8A8E0F3E8C25), ++ UINT64_C(0x8681B43B9E4717A7), UINT64_C(0x94F42507A9D83E39) } }, ++ { { UINT64_C(0xBBE11CA8A55ADDE7), UINT64_C(0x39E6F5CF3BC0896B), ++ UINT64_C(0x1447314E1D2D8D94), UINT64_C(0x45B481255B012F8A), ++ UINT64_C(0x41AD23FA08AD5283), UINT64_C(0x837243E241D13774) }, ++ { UINT64_C(0x1FC0BD9DBADCAA46), UINT64_C(0x8DF164ED26E84CAE), ++ UINT64_C(0x8FF70EC041017176), UINT64_C(0x23AD4BCE5C848BA7), ++ UINT64_C(0x89246FDE97A19CBB), UINT64_C(0xA5EF987B78397991) } }, ++ { { UINT64_C(0x111AF1B74757964D), UINT64_C(0x1D25D351DDBBF258), ++ UINT64_C(0x4161E7767D2B06D6), UINT64_C(0x6EFD26911CAC0C5B), ++ UINT64_C(0x633B95DB211BFAEB), UINT64_C(0x9BEDFA5AE2BDF701) }, ++ { UINT64_C(0xADAC2B0B73E099C8), UINT64_C(0x436F0023BFB16BFF), ++ UINT64_C(0xB91B100230F55854), UINT64_C(0xAF6A2097F4C6C8B7), ++ UINT64_C(0x3FF65CED3AD7B3D9), UINT64_C(0x6FA2626F330E56DF) } }, ++ { { UINT64_C(0x3D28BF2DFFCCFD07), UINT64_C(0x0514F6FFD989603B), ++ UINT64_C(0xB95196295514787A), UINT64_C(0xA1848121C3DB4E9C), ++ UINT64_C(0x47FE2E392A3D4595), UINT64_C(0x506F5D8211B73ED4) }, ++ { UINT64_C(0xA2257AE7A600D8BB), UINT64_C(0xD659DBD10F9F122C), ++ UINT64_C(0xDB0FDC6764DF160F), UINT64_C(0xFF3793397CB19690), ++ UINT64_C(0xDF4366B898E72EC1), UINT64_C(0x97E72BECDF437EB8) } }, ++ { { UINT64_C(0x81DCEA271C81E5D9), UINT64_C(0x7E1B6CDA6717FC49), ++ UINT64_C(0xAA36B3B511EAE80D), UINT64_C(0x1306687C3CD7CBB3), ++ UINT64_C(0xED670235C4E89064), UINT64_C(0x9D3B000958A94760) }, ++ { UINT64_C(0x5A64E158E6A6333C), UINT64_C(0x1A8B4A3649453203), ++ UINT64_C(0xF1CAD7241F77CC21), UINT64_C(0x693EBB4B70518EF7), ++ UINT64_C(0xFB47BD810F39C91A), UINT64_C(0xCFE63DA2FA4BC64B) } }, ++ { { UINT64_C(0x82C1C684EAA66108), UINT64_C(0xE32262184CFE79FC), ++ UINT64_C(0x3F28B72B849C720E), UINT64_C(0x137FB3558FEE1CA8), ++ UINT64_C(0x4D18A9CDE4F90C4E), UINT64_C(0xC0344227CC3E46FA) }, ++ { UINT64_C(0x4FD5C08E79CDA392), UINT64_C(0x65DB20DB8ADC87B5), ++ UINT64_C(0x86F95D5B916C1B84), UINT64_C(0x7EDA387117BB2B7C), ++ UINT64_C(0x18CCF7E7669A533B), UINT64_C(0x5E92421CECAD0E06) } }, ++ { { UINT64_C(0x26063E124174B08B), UINT64_C(0xE621D9BE70DE8E4D), ++ UINT64_C(0xAEA0FD0F5ECDF350), UINT64_C(0x0D9F69E49C20E5C9), ++ UINT64_C(0xD3DADEB90BBE2918), UINT64_C(0xD7B9B5DB58AA2F71) }, ++ { UINT64_C(0x7A971DD73364CAF8), UINT64_C(0x702616A3C25D4BE4), ++ UINT64_C(0xA30F0FA1A9E30071), UINT64_C(0x98AB24385573BC69), ++ UINT64_C(0xCBC63CDF6FEC2E22), UINT64_C(0x965F90EDCC901B9B) } }, ++ { { UINT64_C(0xD53B592D71E15BB3), UINT64_C(0x1F03C0E98820E0D0), ++ UINT64_C(0xCE93947D3CCCB726), UINT64_C(0x2790FEE01D547590), ++ UINT64_C(0x4401D847C59CDD7A), UINT64_C(0x72D69120A926DD9D) }, ++ { UINT64_C(0x38B8F21D4229F289), UINT64_C(0x9F412E407FE978AF), ++ UINT64_C(0xAE07901BCDB59AF1), UINT64_C(0x1E6BE5EBD1D4715E), ++ UINT64_C(0x3715BD8B18C96BEF), UINT64_C(0x4B71F6E6E11B3798) } }, ++ }, ++ { ++ { { UINT64_C(0x11A8FDE5F0CE2DF4), UINT64_C(0xBC70CA3EFA8D26DF), ++ UINT64_C(0x6818C275C74DFE82), UINT64_C(0x2B0294AC38373A50), ++ UINT64_C(0x584C4061E8E5F88F), UINT64_C(0x1C05C1CA7342383A) }, ++ { UINT64_C(0x263895B3911430EC), UINT64_C(0xEF9B0032A5171453), ++ UINT64_C(0x144359DA84DA7F0C), UINT64_C(0x76E3095A924A09F2), ++ UINT64_C(0x612986E3D69AD835), UINT64_C(0x70E03ADA392122AF) } }, ++ { { UINT64_C(0xFEB707EE67AAD17B), UINT64_C(0xBB21B28783042995), ++ UINT64_C(0x26DE16459A0D32BA), UINT64_C(0x9A2FF38A1FFB9266), ++ UINT64_C(0x4E5AD96D8F578B4A), UINT64_C(0x26CC0655883E7443) }, ++ { UINT64_C(0x1D8EECAB2EE9367A), UINT64_C(0x42B84337881DE2F8), ++ UINT64_C(0xE49B2FAED758AE41), UINT64_C(0x6A9A22904A85D867), ++ UINT64_C(0x2FB89DCEE68CBA86), UINT64_C(0xBC2526357F09A982) } }, ++ { { UINT64_C(0xADC794368C61AAAC), UINT64_C(0x24C7FD135E926563), ++ UINT64_C(0xEF9FAAA40406C129), UINT64_C(0xF4E6388C8B658D3C), ++ UINT64_C(0x7262BEB41E435BAF), UINT64_C(0x3BF622CCFDAEAC99) }, ++ { UINT64_C(0xD359F7D84E1AEDDC), UINT64_C(0x05DC4F8CD78C17B7), ++ UINT64_C(0xB18CF03229498BA5), UINT64_C(0xC67388CA85BF35AD), ++ UINT64_C(0x8A7A6AA262AA4BC8), UINT64_C(0x0B8F458E72F4627A) } }, ++ { { UINT64_C(0x3FB812EEC68E4488), UINT64_C(0x53C5EAA460EF7281), ++ UINT64_C(0xE57241838FBEFBE4), UINT64_C(0x2B7D49F4A4B24A05), ++ UINT64_C(0x23B138D0710C0A43), UINT64_C(0x16A5B4C1A85EC1DB) }, ++ { UINT64_C(0x7CC1F3D7305FEB02), UINT64_C(0x52F7947D5B6C1B54), ++ UINT64_C(0x1BDA23128F56981C), UINT64_C(0x68663EAEB4080A01), ++ UINT64_C(0x8DD7BA7E9F999B7F), UINT64_C(0xD8768D19B686580C) } }, ++ { { UINT64_C(0xBCD0E0AD7AFDDA94), UINT64_C(0x95A0DBBE34A30687), ++ UINT64_C(0xBBE3C3DF8C5E2665), UINT64_C(0x742BECD8EBF2BC16), ++ UINT64_C(0x300CEB483FA163A6), UINT64_C(0x0C5D02EE4663354B) }, ++ { UINT64_C(0xE4FB9AD6B5E606A4), UINT64_C(0x93F507B8CF49FF95), ++ UINT64_C(0x9406A90C585C193B), UINT64_C(0xAD1440C14ECF9517), ++ UINT64_C(0x184CB4759CEA53F1), UINT64_C(0x6855C4748EF11302) } }, ++ { { UINT64_C(0x00ECB523EDCAFA52), UINT64_C(0x0DA0AE0E086F69D3), ++ UINT64_C(0xC384DE15C242F347), UINT64_C(0xFB050E6E848C12B7), ++ UINT64_C(0x22F6765464E015CE), UINT64_C(0xCBDC2A487CA122F2) }, ++ { UINT64_C(0xA940D973445FB02C), UINT64_C(0x00F31E783767D89D), ++ UINT64_C(0x2B65A237613DABDD), UINT64_C(0x2BE0AB05C875AE09), ++ UINT64_C(0xB22E54FDBA204F8E), UINT64_C(0x65E2029D0F7687B9) } }, ++ { { UINT64_C(0xFFD825381855A71C), UINT64_C(0x26A330B3438BD8D8), ++ UINT64_C(0x89628311F9D8C5F9), UINT64_C(0x8D5FB9CF953738A0), ++ UINT64_C(0xCB7159C9EDFCD4E5), UINT64_C(0xD64E52302064C7C2) }, ++ { UINT64_C(0xF858ED80689F3CFE), UINT64_C(0x4830E30956128B67), ++ UINT64_C(0x2E1692DAE0E90688), UINT64_C(0xAB818913CA9CC232), ++ UINT64_C(0xE2E30C23A5D229A6), UINT64_C(0xA544E8B10E740E23) } }, ++ { { UINT64_C(0x1C15E569DC61E6CC), UINT64_C(0x8FD7296758FC7800), ++ UINT64_C(0xE61E7DB737A9DFC5), UINT64_C(0x3F34A9C65AFD7822), ++ UINT64_C(0x0A11274219E80773), UINT64_C(0xA353460C4760FC58) }, ++ { UINT64_C(0x2FB7DEEBB3124C71), UINT64_C(0x484636272D4009CC), ++ UINT64_C(0x399D1933C3A10370), UINT64_C(0x7EB1945054388DBD), ++ UINT64_C(0x8ECCE6397C2A006A), UINT64_C(0x3D565DAF55C932A0) } }, ++ { { UINT64_C(0xCEF57A9FD9ADAE53), UINT64_C(0xE2EB27D7F83FD8CD), ++ UINT64_C(0x4AC8F7199BBD2DDE), UINT64_C(0x604283AAE91ABFB7), ++ UINT64_C(0xB6A4E11534799F87), UINT64_C(0x2B253224E4C2A8F3) }, ++ { UINT64_C(0xC34F8B92C8782294), UINT64_C(0xC74D697DFCC2CB6B), ++ UINT64_C(0xD990411BC2C84C46), UINT64_C(0x2807B5C631EA4955), ++ UINT64_C(0x14AE2B93B9EB27F5), UINT64_C(0xF0AE96A76163EDFA) } }, ++ { { UINT64_C(0xA7BDCBB442DB7180), UINT64_C(0xC9FAA41FEDCA752F), ++ UINT64_C(0x147F91B4E820F401), UINT64_C(0x1E6CEF86F5F2645F), ++ UINT64_C(0xB4AB4D7F31FE711D), UINT64_C(0xCE68FB3C743EF882) }, ++ { UINT64_C(0xB9D7D6823EF2FCFF), UINT64_C(0xF6893811020DCAFD), ++ UINT64_C(0x30D9A50CBF81E760), UINT64_C(0x7F247D06B9B87228), ++ UINT64_C(0x143D4FEC5F40CFC0), UINT64_C(0x21D78D73329B2A88) } }, ++ { { UINT64_C(0x06B3FF8AED3F2055), UINT64_C(0x50482C77522BE214), ++ UINT64_C(0x8DF69CD8DDF54620), UINT64_C(0x6D1DB204F78A1165), ++ UINT64_C(0x459AE4A29AFE6BF2), UINT64_C(0xC23A9FFD24AC871E) }, ++ { UINT64_C(0xB7FD22E389E85D81), UINT64_C(0x297F1F6B122E9978), ++ UINT64_C(0xAB283D66144BE1CE), UINT64_C(0xC1F90AC2C00C614E), ++ UINT64_C(0x5465576E3224CD09), UINT64_C(0x8E8D910D441B6059) } }, ++ { { UINT64_C(0xF73A060AAAA228BC), UINT64_C(0xCF1B078356EFF87D), ++ UINT64_C(0x11EF17C0A54C9133), UINT64_C(0x9E476B1576A4DAA5), ++ UINT64_C(0x5624FEAC8018FB92), UINT64_C(0x9826A0FCCFEEC1B9) }, ++ { UINT64_C(0xB732F7FE2DFE2046), UINT64_C(0x9260BD9F3B40DA6A), ++ UINT64_C(0xCC9F908F4F231773), UINT64_C(0x4827FEB9DAFC0D55), ++ UINT64_C(0x07D32E85538ACE95), UINT64_C(0xAD9F897CB8EDAF37) } }, ++ { { UINT64_C(0x2F75B82FE3415498), UINT64_C(0xF99CAC5FF1015F30), ++ UINT64_C(0x766408247D7F25DE), UINT64_C(0x714BC9CDEE74C047), ++ UINT64_C(0x70F847BF07448879), UINT64_C(0xA14481DE072165C0) }, ++ { UINT64_C(0x9BFA59E3DB1140A8), UINT64_C(0x7B9C7FF0FCD13502), ++ UINT64_C(0xF4D7538E68459ABF), UINT64_C(0xED93A791C8FC6AD2), ++ UINT64_C(0xA8BBE2A8B51BD9B2), UINT64_C(0x084B5A279FB34008) } }, ++ { { UINT64_C(0xB3BB9545EB138C84), UINT64_C(0x59C3489C3FC88BFD), ++ UINT64_C(0x3A97FF6385F53EC7), UINT64_C(0x40FDF5A60AA69C3D), ++ UINT64_C(0x0E8CCEC753D19668), UINT64_C(0x0AA72EF933FAA661) }, ++ { UINT64_C(0xF5C5A6CF9B1E684B), UINT64_C(0x630F937131A22EA1), ++ UINT64_C(0x06B2AAC2AC60F7EA), UINT64_C(0xB181CAE25BC37D80), ++ UINT64_C(0x4601A929247B13EA), UINT64_C(0x8A71C3865F739797) } }, ++ { { UINT64_C(0x545387B3AB134786), UINT64_C(0x3179BB061599B64A), ++ UINT64_C(0xB0A6198607593574), UINT64_C(0xC7E39B2163FA7C3B), ++ UINT64_C(0xA1173F8691585D13), UINT64_C(0x09D5CC8ECB9525CD) }, ++ { UINT64_C(0xAAD44FFD8F3A3451), UINT64_C(0x702B04F225820CC5), ++ UINT64_C(0xE90CAC491CB66C17), UINT64_C(0x40F6B547EE161DC4), ++ UINT64_C(0xC08BB8B41BA4AC4E), UINT64_C(0x7DC064FBAE5A6BC1) } }, ++ { { UINT64_C(0x90A5E8719D76DDC7), UINT64_C(0x39DC8FAEEDFC8E2E), ++ UINT64_C(0x98467A235B079C62), UINT64_C(0xE25E378505450C98), ++ UINT64_C(0x2FE23A4D96140083), UINT64_C(0x65CE3B9AE9900312) }, ++ { UINT64_C(0x1D87D0886B72B5D9), UINT64_C(0x72F53220FD9AFC82), ++ UINT64_C(0xC63C7C159E1F71FA), UINT64_C(0x90DF26EA8D449637), ++ UINT64_C(0x97089F40C1C2B215), UINT64_C(0x83AF266442317FAA) } }, ++ }, ++ { ++ { { UINT64_C(0xFA2DB51A8D688E31), UINT64_C(0x225B696CA09C88D4), ++ UINT64_C(0x9F88AF1D6059171F), UINT64_C(0x1C5FEA5E782A0993), ++ UINT64_C(0xE0FB15884EC710D3), UINT64_C(0xFAF372E5D32CE365) }, ++ { UINT64_C(0xD9F896AB26506F45), UINT64_C(0x8D3503388373C724), ++ UINT64_C(0x1B76992DCA6E7342), UINT64_C(0x76338FCA6FD0C08B), ++ UINT64_C(0xC3EA4C65A00F5C23), UINT64_C(0xDFAB29B3B316B35B) } }, ++ { { UINT64_C(0x84E5541F483AEBF9), UINT64_C(0x8ADFF7DC49165772), ++ UINT64_C(0xE0A43AD69BEAAD3C), UINT64_C(0x97DD1820F51C2714), ++ UINT64_C(0xAC2B4CB457EA5B0C), UINT64_C(0x87DBD011D11767CA) }, ++ { UINT64_C(0x18CCF36CBFC7957A), UINT64_C(0xD4A088411BC79227), ++ UINT64_C(0x9811CE43D8D292A8), UINT64_C(0x72C5FC68D58C4EE7), ++ UINT64_C(0x5BC0F0BED35C65A7), UINT64_C(0x0B446DBCCBBF9669) } }, ++ { { UINT64_C(0x7EBA3DA69CEE9BCE), UINT64_C(0x3E2C1248D5377750), ++ UINT64_C(0x8C917D982B93D8B2), UINT64_C(0xCA8FC6AC7CAD1F75), ++ UINT64_C(0x5F581F19A0FF150A), UINT64_C(0x872CC14AE08327FA) }, ++ { UINT64_C(0xC774F187E9333188), UINT64_C(0x528ED4AC497AF7E8), ++ UINT64_C(0xCE036E9B8AD72B10), UINT64_C(0x463F9EBB917986CF), ++ UINT64_C(0xBE5163281325CF9B), UINT64_C(0xD28D5C50DD7E5FEA) } }, ++ { { UINT64_C(0x714C1D1BDD58BBE3), UINT64_C(0x85BA01AE039AFD0F), ++ UINT64_C(0x7F23EA3A6951AC80), UINT64_C(0x5C599290AC00C837), ++ UINT64_C(0xF6EFA2B3BF24CC1B), UINT64_C(0x393D8E421E84462B) }, ++ { UINT64_C(0x9BDA627DF8B89453), UINT64_C(0xE66FFF2EB23E0D1B), ++ UINT64_C(0xD1EE7089C3B94EC2), UINT64_C(0xF75DBA6E3031699A), ++ UINT64_C(0x8FF75F79242B2453), UINT64_C(0xE721EDEB289BFED4) } }, ++ { { UINT64_C(0x083215A1C1390FA8), UINT64_C(0x901D686A6DCE8CE0), ++ UINT64_C(0x4AB1BA62837073FF), UINT64_C(0x10C287AA34BEABA5), ++ UINT64_C(0xB4931AF446985239), UINT64_C(0x07639899B053C4DC) }, ++ { UINT64_C(0x29E7F44DE721EECD), UINT64_C(0x6581718257B3FF48), ++ UINT64_C(0x198542E25054E2E0), UINT64_C(0x923C9E1584616DE8), ++ UINT64_C(0x2A9C15E1AD465BB9), UINT64_C(0xD8D4EFC716319245) } }, ++ { { UINT64_C(0x72DC79439961A674), UINT64_C(0x839A0A52A0E13668), ++ UINT64_C(0xD7A53FA9334945EA), UINT64_C(0xDB21DB77E7AA25DB), ++ UINT64_C(0xB6675A7D66E96DA3), UINT64_C(0x2C31C406E66F33C0) }, ++ { UINT64_C(0x45020B626EC7B9CB), UINT64_C(0xFF46E9CD0391F267), ++ UINT64_C(0x7DABD7440FA2F221), UINT64_C(0x9A32364B9D4A2A3E), ++ UINT64_C(0xF0F84AE852D2E47A), UINT64_C(0xD0B872BB888F488A) } }, ++ { { UINT64_C(0x531E4CEFC9790EEF), UINT64_C(0xF7B5735E2B8D1A58), ++ UINT64_C(0xB8882F1EEF568511), UINT64_C(0xAFB08D1C86A86DB3), ++ UINT64_C(0x88CB9DF2F54DE8C7), UINT64_C(0xA44234F19A683282) }, ++ { UINT64_C(0xBC1B3D3AA6E9AB2E), UINT64_C(0xEFA071FB87FC99EE), ++ UINT64_C(0xFA3C737DA102DC0F), UINT64_C(0xDF3248A6D6A0CBD2), ++ UINT64_C(0x6E62A4FF1ECC1BF4), UINT64_C(0xF718F940C8F1BC17) } }, ++ { { UINT64_C(0x2C8B0AAD4F63F026), UINT64_C(0x2AFF623850B253CC), ++ UINT64_C(0xCAB3E94210C4D122), UINT64_C(0x52B59F0407CD2816), ++ UINT64_C(0x22322803982C41FC), UINT64_C(0x38844E668CF50B19) }, ++ { UINT64_C(0x42A959F7BE3264CD), UINT64_C(0xBDDC24BD6C983524), ++ UINT64_C(0xA489EB0C462B8640), UINT64_C(0xB7C0509298029BE7), ++ UINT64_C(0xD5546B5FA1ADDC64), UINT64_C(0xE7CAC1FCA0C655AF) } }, ++ { { UINT64_C(0x1454719847636F97), UINT64_C(0x6FA67481EBCDCCFF), ++ UINT64_C(0xC164872F395D3258), UINT64_C(0xB8CECAFEEE6ACDBC), ++ UINT64_C(0x3FBFE5F3A933F180), UINT64_C(0xEC20CAC2898C3B1E) }, ++ { UINT64_C(0x6A031BEE87DA73F9), UINT64_C(0xD1E667D15C5AF46E), ++ UINT64_C(0xCB3DC1681DC6EEF9), UINT64_C(0x2DD1BD9433D310C0), ++ UINT64_C(0x0F78D4939207E438), UINT64_C(0xC233D544A99C0E75) } }, ++ { { UINT64_C(0x228F19F19E2A0113), UINT64_C(0x58495BE50E1A5D37), ++ UINT64_C(0x97E08F6938D7F364), UINT64_C(0x1EC3BA3E510759B0), ++ UINT64_C(0x3682F19AE03CD40D), UINT64_C(0xC87745D8F9E16D68) }, ++ { UINT64_C(0xFD527AB509A642EA), UINT64_C(0x6308EEBDF9C81F27), ++ UINT64_C(0xFA9F666C550C5D68), UINT64_C(0xDEBA436F584AB153), ++ UINT64_C(0x1D4861D35B63E939), UINT64_C(0x073BED9BC9850221) } }, ++ { { UINT64_C(0x802BCCF08B171246), UINT64_C(0xFFF7D15A733B072F), ++ UINT64_C(0xEA3862664CBFA4EF), UINT64_C(0x9E5B5073D635946B), ++ UINT64_C(0x16E9A979FA81BE95), UINT64_C(0x41E8716EB14F701F) }, ++ { UINT64_C(0x25782E0F101A6719), UINT64_C(0x442C4875C9D66959), ++ UINT64_C(0x52D845D92B85D153), UINT64_C(0xFF9251382E831117), ++ UINT64_C(0x01B700CC8E02434B), UINT64_C(0xD2DB7F8EEC0BAE3E) } }, ++ { { UINT64_C(0x1B225300966A4872), UINT64_C(0x40C149BE566F537B), ++ UINT64_C(0x3335F4D2CB680021), UINT64_C(0x773D0263778E5F5F), ++ UINT64_C(0x1D9B7602666FA9ED), UINT64_C(0x52490A102E6200CF) }, ++ { UINT64_C(0x8434C7DD961F290B), UINT64_C(0x773AC15664456446), ++ UINT64_C(0x5E2BB78947B712BB), UINT64_C(0xFD3BCBFDBE0974AD), ++ UINT64_C(0x71AE9351791AD5D8), UINT64_C(0x1EE738BA6F4E1400) } }, ++ { { UINT64_C(0x2FA428AB0BE8E26E), UINT64_C(0xFEFF0600BB4CF9FC), ++ UINT64_C(0x76F25CA9B2EA5FB0), UINT64_C(0xAB7FECF06835C5F4), ++ UINT64_C(0x649D077219D5F328), UINT64_C(0xABE7B895ACBCB12E) }, ++ { UINT64_C(0xF2D1031AD69B1EA8), UINT64_C(0x46065D5DC60B0BBB), ++ UINT64_C(0xB0908DC185D798FF), UINT64_C(0x4E2420F0D2C9B18A), ++ UINT64_C(0x6B3A9BDDD30432A2), UINT64_C(0x501C3383C9B134AD) } }, ++ { { UINT64_C(0x608F096798A21284), UINT64_C(0x5361BE86059CCEDE), ++ UINT64_C(0x3A40655CAFD87EF7), UINT64_C(0x03CF311759083AA2), ++ UINT64_C(0x57DB5F61B6C366D9), UINT64_C(0x29DC275B6DD0D232) }, ++ { UINT64_C(0xBDAB24DD8FA67501), UINT64_C(0x5928F77565D08C37), ++ UINT64_C(0x9448A856645D466A), UINT64_C(0x6E6B5E2EC0E927A5), ++ UINT64_C(0xE884D546E80C6871), UINT64_C(0x10C881C953A9A851) } }, ++ { { UINT64_C(0x355053749B627AA5), UINT64_C(0xE7CA1B577976677B), ++ UINT64_C(0x812397124976CE17), UINT64_C(0x96E9080B96DA31B9), ++ UINT64_C(0x458254ABCC64AA1F), UINT64_C(0xFEFF682148E674C9) }, ++ { UINT64_C(0x8772F37A021F1488), UINT64_C(0x2E274E18AB56345C), ++ UINT64_C(0x7C7BE61C29823B76), UINT64_C(0x275DB7B29EEFB39E), ++ UINT64_C(0x83B10ED4BF5CBCEF), UINT64_C(0x40D7F5B4518E5183) } }, ++ { { UINT64_C(0x315CCC01F960B41B), UINT64_C(0x90B417C91D99E722), ++ UINT64_C(0x84AFAA0D013463E0), UINT64_C(0xF133C5D813E6D9E1), ++ UINT64_C(0xD95C6ADC525B7430), UINT64_C(0x082C61AD7A25106A) }, ++ { UINT64_C(0xABC1966DBA1CE179), UINT64_C(0xE0578B77A5DB529A), ++ UINT64_C(0x10988C05EC84107D), UINT64_C(0xFCADE5D71B207F83), ++ UINT64_C(0x0BEB6FDBC5BA83DB), UINT64_C(0x1C39B86D57537E34) } }, ++ }, ++ { ++ { { UINT64_C(0x5B0B5D692A7AECED), UINT64_C(0x4C03450C01DC545F), ++ UINT64_C(0x72AD0A4A404A3458), UINT64_C(0x1DE8E2559F467B60), ++ UINT64_C(0xA4B3570590634809), UINT64_C(0x76F30205706F0178) }, ++ { UINT64_C(0x588D21AB4454F0E5), UINT64_C(0xD22DF54964134928), ++ UINT64_C(0xF4E7E73D241BCD90), UINT64_C(0xB8D8A1D22FACC7CC), ++ UINT64_C(0x483C35A71D25D2A0), UINT64_C(0x7F8D25451EF9F608) } }, ++ { { UINT64_C(0xCB51F03954EBC926), UINT64_C(0xE235D356B8D4A7BB), ++ UINT64_C(0x93C8FAFAB41FE1A6), UINT64_C(0x6297701DA719F254), ++ UINT64_C(0x6E9165BC644F5CDE), UINT64_C(0x6506329D0C11C542) }, ++ { UINT64_C(0xA2564809A92B4250), UINT64_C(0x0E9AC173889C2E3E), ++ UINT64_C(0x286A592622B1D1BE), UINT64_C(0x86A3D7526ECDD041), ++ UINT64_C(0x4B867E0A649F9524), UINT64_C(0x1FE7D95A0629CB0F) } }, ++ { { UINT64_C(0xF4F66843CA5BAF54), UINT64_C(0x298DB357EFE7DB78), ++ UINT64_C(0xF607E86E7365712F), UINT64_C(0xD58822988A822BC0), ++ UINT64_C(0x2CFBD63AC61299B3), UINT64_C(0x6F713D9B67167B1A) }, ++ { UINT64_C(0x750F673FDE0B077A), UINT64_C(0x07482708EE2178DA), ++ UINT64_C(0x5E6D5BD169123C75), UINT64_C(0x6A93D1B6EAB99B37), ++ UINT64_C(0x6EF4F7E68CAEC6A3), UINT64_C(0x7BE411D6CF3ED818) } }, ++ { { UINT64_C(0xF92B307363A0A7D2), UINT64_C(0x32DA431C881DC8CF), ++ UINT64_C(0xE51BD5EDC578E3A3), UINT64_C(0xEFDA70D29587FA22), ++ UINT64_C(0xCFEC17089B2EBA85), UINT64_C(0x6AB51A4BAF7BA530) }, ++ { UINT64_C(0x5AC155AE98174812), UINT64_C(0xCAF07A71CCB076E3), ++ UINT64_C(0x280E86C2C38718A7), UINT64_C(0x9D12DE73D63745B7), ++ UINT64_C(0x0E8EA855BF8A79AA), UINT64_C(0x5EB2BED8BD705BF7) } }, ++ { { UINT64_C(0x33FE9578AE16DE53), UINT64_C(0x3AE85EB510BEC902), ++ UINT64_C(0xC4F4965844AF850E), UINT64_C(0x6EA222B3087DD658), ++ UINT64_C(0xB255E6FDA51F1447), UINT64_C(0xB35E4997117E3F48) }, ++ { UINT64_C(0x562E813B05616CA1), UINT64_C(0xDF5925D68A61E156), ++ UINT64_C(0xB2FA8125571C728B), UINT64_C(0x00864805A2F2D1CF), ++ UINT64_C(0x2DC26F411BCCB6FF), UINT64_C(0xEBD5E09363AE37DD) } }, ++ { { UINT64_C(0xD2D68BB30A285611), UINT64_C(0x3EAE7596DC8378F2), ++ UINT64_C(0x2DC6CCC66CC688A3), UINT64_C(0xC45E5713011F5DFB), ++ UINT64_C(0x6B9C4F6C62D34487), UINT64_C(0xFAD6F0771FC65551) }, ++ { UINT64_C(0x5E3266E062B23B52), UINT64_C(0xF1DAF319E98F4715), ++ UINT64_C(0x064D12EA3ED0AE83), UINT64_C(0x5CCF9326564125CB), ++ UINT64_C(0x09057022C63C1E9F), UINT64_C(0x7171972CDC9B5D2E) } }, ++ { { UINT64_C(0x2364FD9AEABD21B2), UINT64_C(0x3CE5F4BB9174AD6D), ++ UINT64_C(0xA4D6D5D0B38688C0), UINT64_C(0x2292A2D26D87FD7D), ++ UINT64_C(0x2A7D1B534CA02E54), UINT64_C(0x7BEE6E7EB4185715) }, ++ { UINT64_C(0x73E546098FC63ACD), UINT64_C(0xF4D93A124064E09D), ++ UINT64_C(0xD20E157A2B92DAA5), UINT64_C(0x90D125DBC4B81A00), ++ UINT64_C(0xCB951C9E7682DE13), UINT64_C(0x1ABE58F427987545) } }, ++ { { UINT64_C(0x6D35164030C70C8D), UINT64_C(0x8047D811CE2361B8), ++ UINT64_C(0x3F8B3D4FDF8E2C81), UINT64_C(0x5D59547733FA1F6C), ++ UINT64_C(0xF769FE5AE29B8A91), UINT64_C(0x26F0E606D737B2A2) }, ++ { UINT64_C(0x70CBFA5DB8B31C6A), UINT64_C(0x0F883B4A863D3AEA), ++ UINT64_C(0x156A4479E386AE2F), UINT64_C(0xA17A2FCDADE8A684), ++ UINT64_C(0x78BDF958E2A7E335), UINT64_C(0xD1B4E6733B9E3041) } }, ++ { { UINT64_C(0x1EAF48EC449A6D11), UINT64_C(0x6B94B8E46D2FA7B9), ++ UINT64_C(0x1D75D269728E4C1B), UINT64_C(0x91123819DD304E2C), ++ UINT64_C(0x0B34CAE388804F4B), UINT64_C(0x2BA192FBC5495E9A) }, ++ { UINT64_C(0xC93FF6EFFF4D24BF), UINT64_C(0xF8C2C0B00342BA78), ++ UINT64_C(0x8041F769831EB94C), UINT64_C(0x353100747782985E), ++ UINT64_C(0xC755320B3AF84E83), UINT64_C(0x384B6D266F497E7F) } }, ++ { { UINT64_C(0xEF92CD5917E6BD17), UINT64_C(0xA087305BA426965C), ++ UINT64_C(0x13895CE7AC47F773), UINT64_C(0xB85F2A9FE0BB2867), ++ UINT64_C(0x2926E6AA7CD7C58E), UINT64_C(0xE544EDA6450459C5) }, ++ { UINT64_C(0x73DBC351B90A9849), UINT64_C(0x961183F6848EBE86), ++ UINT64_C(0xC45BB21080534712), UINT64_C(0x379D08D7A654D9A3), ++ UINT64_C(0x5B97CEF2BD3FFA9C), UINT64_C(0x0F469F34DDC2FCE5) } }, ++ { { UINT64_C(0x6D1461080642F38D), UINT64_C(0x055171A0D21EB887), ++ UINT64_C(0x28DFFAB4D0DCEB28), UINT64_C(0x0D0E631298DE9CCD), ++ UINT64_C(0x750A9156118C3C3F), UINT64_C(0x8C1F1390B049D799) }, ++ { UINT64_C(0xE4823858439607C5), UINT64_C(0x947E9BA05C111EAB), ++ UINT64_C(0x39C95616A355DF2E), UINT64_C(0xF5F6B98E10E54BDA), ++ UINT64_C(0xB0E0B33D142B876A), UINT64_C(0x71197D73EA18C90C) } }, ++ { { UINT64_C(0x36A5139DF52BE819), UINT64_C(0xF60DDF3429A45D2B), ++ UINT64_C(0x0727EFECE9220E34), UINT64_C(0x431D33864EF7F446), ++ UINT64_C(0xC3165A64FCC4962C), UINT64_C(0xB7D926E1D64362BB) }, ++ { UINT64_C(0x216BC61FD45F9350), UINT64_C(0xA974CB2FBBAED815), ++ UINT64_C(0x31DF342D86FB2F76), UINT64_C(0x3AB67E0501D78314), ++ UINT64_C(0x7AA951E0DEE33ED2), UINT64_C(0x318FBBBDCEC78D94) } }, ++ { { UINT64_C(0xAD7EFB65B8FE0204), UINT64_C(0x0432E1C5230AB7F7), ++ UINT64_C(0x7563A62D9C967400), UINT64_C(0xD88B9C743524D4FF), ++ UINT64_C(0x16A1991CF1A823E3), UINT64_C(0xCF2F9BFEFA6F0FFB) }, ++ { UINT64_C(0x55AAA946A50CA61F), UINT64_C(0x8CBBD3C8FED4CAB3), ++ UINT64_C(0x03A0FAB87651365A), UINT64_C(0x46B5234B62DC3913), ++ UINT64_C(0xFD875B28B558CBBD), UINT64_C(0xA48EC3AE11CEB361) } }, ++ { { UINT64_C(0x5DD131A1B3ADBD8B), UINT64_C(0xF9FBCA3A29B45EF8), ++ UINT64_C(0x022048669341EE18), UINT64_C(0x8D13B89583BF9618), ++ UINT64_C(0x0E395BAEE807459C), UINT64_C(0xB9C110CCB190E7DB) }, ++ { UINT64_C(0xA0DC345225D25063), UINT64_C(0x2FB78EC802371462), ++ UINT64_C(0xC3A9E7BB8975C2D5), UINT64_C(0x9466687285A78264), ++ UINT64_C(0x480D2CC28029AA92), UINT64_C(0x237086C75655726D) } }, ++ { { UINT64_C(0x197F14BB65EB9EEE), UINT64_C(0xFC93125C9F12E5FD), ++ UINT64_C(0x9C20BC538BFBAE5E), UINT64_C(0xB35E21544BC053BA), ++ UINT64_C(0xE5FA9CC721C3898E), UINT64_C(0x502D72FFD42F950F) }, ++ { UINT64_C(0x6812D38AD1EB8C31), UINT64_C(0x1F77F3F1080D30BB), ++ UINT64_C(0x18D128335A8B1E98), UINT64_C(0x7FD39FA9299196CE), ++ UINT64_C(0xFB8C9F11CF4ED6D6), UINT64_C(0x4C00F604D6363194) } }, ++ { { UINT64_C(0x5C8AFCF9FA2A21C2), UINT64_C(0x71CBF2821928D133), ++ UINT64_C(0x56BEF28E42B29506), UINT64_C(0xAFBA250C70323DE2), ++ UINT64_C(0x3FE208D17DED2C30), UINT64_C(0xBD2CD213CE9AA598) }, ++ { UINT64_C(0x52C5EC52CFEED070), UINT64_C(0x0A7223E7D3DA336B), ++ UINT64_C(0x7156A4EDCE156B46), UINT64_C(0x9AF6C499ED7E6159), ++ UINT64_C(0x9D7A679713C029AD), UINT64_C(0xE5B5C9249018DC77) } }, ++ }, ++ { ++ { { UINT64_C(0x3F2EFF53DE1E4E55), UINT64_C(0x6B749943E4D3ECC4), ++ UINT64_C(0xAF10B18A0DDE190D), UINT64_C(0xF491B98DA26B0409), ++ UINT64_C(0x66080782A2B1D944), UINT64_C(0x59277DC697E8C541) }, ++ { UINT64_C(0xFDBFC5F6006F18AA), UINT64_C(0x435D165BFADD8BE1), ++ UINT64_C(0x8E5D263857645EF4), UINT64_C(0x31BCFDA6A0258363), ++ UINT64_C(0xF5330AB8D35D2503), UINT64_C(0xB71369F0C7CAB285) } }, ++ { { UINT64_C(0xE6A19DCC40ACC5A8), UINT64_C(0x1C3A1FF1DBC6DBF8), ++ UINT64_C(0xB4D89B9FC6455613), UINT64_C(0x6CB0FE44A7390D0E), ++ UINT64_C(0xADE197A459EA135A), UINT64_C(0xDA6AA86520680982) }, ++ { UINT64_C(0x03DB9BE95A442C1B), UINT64_C(0x221A2D732BFB93F2), ++ UINT64_C(0x44DEE8D4753C196C), UINT64_C(0x59ADCC700B7C6FF5), ++ UINT64_C(0xC6260EC24CA1B142), UINT64_C(0x4C3CB5C646CBD4F2) } }, ++ { { UINT64_C(0x8A15D6FEA417111F), UINT64_C(0xFE4A16BD71D93FCC), ++ UINT64_C(0x7A7EE38C55BBE732), UINT64_C(0xEFF146A51FF94A9D), ++ UINT64_C(0xE572D13EDD585AB5), UINT64_C(0xD879790E06491A5D) }, ++ { UINT64_C(0x9C84E1C52A58CB2E), UINT64_C(0xD79D13746C938630), ++ UINT64_C(0xDB12CD9B385F06C7), UINT64_C(0x0C93EB977A7759C3), ++ UINT64_C(0xF1F5B0FE683BD706), UINT64_C(0x541E4F7285EC3D50) } }, ++ { { UINT64_C(0x9A0E153581833608), UINT64_C(0x5CCE871E6E2833AC), ++ UINT64_C(0xC17059EAFB29777C), UINT64_C(0x7E40E5FAE354CAFD), ++ UINT64_C(0x9CF594054D07C371), UINT64_C(0x64CE36B2A71C3945) }, ++ { UINT64_C(0x69309E9656CAF487), UINT64_C(0x3D719E9F1AE3454B), ++ UINT64_C(0xF2164070E25823B6), UINT64_C(0xEAD851BD0BC27359), ++ UINT64_C(0x3D21BFE8B0925094), UINT64_C(0xA783B1E934A97F4E) } }, ++ { { UINT64_C(0x406B0C269546491A), UINT64_C(0x9E5E15E2F293C4E5), ++ UINT64_C(0xC60D641315B164DB), UINT64_C(0x0DA46F530C75A78E), ++ UINT64_C(0x7C599BB7EA0C656B), UINT64_C(0x0F07A5121B1A8122) }, ++ { UINT64_C(0x14C7204A15172686), UINT64_C(0x8FAEDFF85165625D), ++ UINT64_C(0x20F260CE37AEDE40), UINT64_C(0xC81F771E8F357FFE), ++ UINT64_C(0x25499197B0912557), UINT64_C(0x736197DC4C739C74) } }, ++ { { UINT64_C(0x6151BAB1381B3462), UINT64_C(0x27E5A07843DBD344), ++ UINT64_C(0x2CB05BD6A1C3E9FB), UINT64_C(0x2A75976027CF2A11), ++ UINT64_C(0x0ADCF9DBFF43E702), UINT64_C(0x4BBF03E21F484146) }, ++ { UINT64_C(0x0E74997F55B6521A), UINT64_C(0x15629231ADE17086), ++ UINT64_C(0x7F143E867493FC58), UINT64_C(0x60869095AF8B9670), ++ UINT64_C(0x482CFCD77E524869), UINT64_C(0x9E8060C31D454756) } }, ++ { { UINT64_C(0xE495747AC88B4D3B), UINT64_C(0xB7559835AE8A948F), ++ UINT64_C(0x67EEF3A9DEB56853), UINT64_C(0x0E20E2699DEE5ADF), ++ UINT64_C(0x9031AF6761F0A1AA), UINT64_C(0x76669D32683402BC) }, ++ { UINT64_C(0x90BD231306718B16), UINT64_C(0xE1B22A21864EFDAC), ++ UINT64_C(0xE4FFE9096620089F), UINT64_C(0xB84C842E3428E2D9), ++ UINT64_C(0x0E28C880FE3871FC), UINT64_C(0x8932F6983F21C200) } }, ++ { { UINT64_C(0x603F00CE6C90EA5D), UINT64_C(0x6473930740A2F693), ++ UINT64_C(0xAF65148B2174E517), UINT64_C(0x162FC2CAF784AE74), ++ UINT64_C(0x0D9A88254D5F6458), UINT64_C(0x0C2D586143AACE93) }, ++ { UINT64_C(0xBF1EADDE9F73CBFC), UINT64_C(0xDE9C34C09C68BBCA), ++ UINT64_C(0x6D95602D67EF8A1A), UINT64_C(0x0AF2581BA791B241), ++ UINT64_C(0x14F7736112CAD604), UINT64_C(0x19F2354DE2ACD1AD) } }, ++ { { UINT64_C(0x272F78F60D60F263), UINT64_C(0xE7A8F4AF208FD785), ++ UINT64_C(0x10E191C636554F2C), UINT64_C(0x06D88551FD5CD0B3), ++ UINT64_C(0x29BF856857069C27), UINT64_C(0x3CE7ECD828AA6FAD) }, ++ { UINT64_C(0x7D8A92D0E9F1A1D8), UINT64_C(0xD40C7FF8D30B5725), ++ UINT64_C(0x16BE6CB2F54CAEB8), UINT64_C(0x14CA471A14CB0A91), ++ UINT64_C(0xD5FF15B802733CAE), UINT64_C(0xCAF88D87DAA76580) } }, ++ { { UINT64_C(0x39430E222C046592), UINT64_C(0x6CDAE81F1AD26706), ++ UINT64_C(0x8C102159A25D9106), UINT64_C(0x9A44057227CA9F30), ++ UINT64_C(0x8D34C43070287FBC), UINT64_C(0x9003A45529DB8AFA) }, ++ { UINT64_C(0x91364CC37FD971AD), UINT64_C(0x7B3AA0489C60EDB7), ++ UINT64_C(0x58B0E008526F4DD8), UINT64_C(0xB7674454D86D98AE), ++ UINT64_C(0xC25F4051B2B45747), UINT64_C(0x8243BF9CCC043E8F) } }, ++ { { UINT64_C(0xA89641C643A0C387), UINT64_C(0x6D92205C87B9AB17), ++ UINT64_C(0x37D691F4DAA0E102), UINT64_C(0xEB3E52D7CDE5312E), ++ UINT64_C(0x60D3C09916F518A2), UINT64_C(0x7854C0518A378EEB) }, ++ { UINT64_C(0x7359DB514BBCAAC5), UINT64_C(0xF5B1B68C1713F102), ++ UINT64_C(0xDAEAE645E4398DE5), UINT64_C(0x8C8ACB6CD1ABFB82), ++ UINT64_C(0x2E8B76C3136423E2), UINT64_C(0x509DCB2DA8BA015E) } }, ++ { { UINT64_C(0x2FF368159AD9C59C), UINT64_C(0xB189A4E8658E65B9), ++ UINT64_C(0x7D33DDBBEA786AD2), UINT64_C(0x96D0D648C0D2DC05), ++ UINT64_C(0x05E49256BFA03BE9), UINT64_C(0x0EA4E7A68BAF5A1C) }, ++ { UINT64_C(0x3DDCE0B09F9AD5A8), UINT64_C(0xF78091959E49C2CB), ++ UINT64_C(0xBFCEF29D21782C2F), UINT64_C(0xE57AD39FC41BFD97), ++ UINT64_C(0xC04B93E81355AD19), UINT64_C(0xAABC9E6E59440F9F) } }, ++ { { UINT64_C(0x7AA481035B6459DA), UINT64_C(0x83EF74770166E880), ++ UINT64_C(0x536182B1511CCE80), UINT64_C(0xAFDD2EEE73CA55AA), ++ UINT64_C(0xAB910D0DA8716143), UINT64_C(0x8BEAA42B83707250) }, ++ { UINT64_C(0x4BCCFD898DA2AB3D), UINT64_C(0x1DBF68A9EC6AA105), ++ UINT64_C(0x32CE610868EB42DA), UINT64_C(0x5C2C2C858EA62E37), ++ UINT64_C(0x1ED2791FCD3088A7), UINT64_C(0x496B4FEBFF05070C) } }, ++ { { UINT64_C(0x9FA9121A0AA629C5), UINT64_C(0xE286CFF157558BEC), ++ UINT64_C(0x4D9D657E59813A4D), UINT64_C(0xC4676A1626103519), ++ UINT64_C(0x616160B32BD4DF80), UINT64_C(0x26FB78CC30FBAE87) }, ++ { UINT64_C(0x096070138F0F66BD), UINT64_C(0xDD4E2D0C03D9B90D), ++ UINT64_C(0x5D3A8912600D1B12), UINT64_C(0xF76DD52F4308E126), ++ UINT64_C(0x97CC04099E4FCCA6), UINT64_C(0x0CFBE31104C4DF7B) } }, ++ { { UINT64_C(0x6CA62C1228437A23), UINT64_C(0x0DAF335340E7A003), ++ UINT64_C(0x1FD07DF0D20F8079), UINT64_C(0xEAE7969C3BBC9749), ++ UINT64_C(0x55861AFA9ECAD022), UINT64_C(0xEC41DAD91FBC3D4C) }, ++ { UINT64_C(0x1FE4CB40DA8B261B), UINT64_C(0xC2671AB6427C5C9D), ++ UINT64_C(0xDFCDA7B8261D4939), UINT64_C(0x9E7B802B2072C0B9), ++ UINT64_C(0x3AFEE900C7828CC2), UINT64_C(0x3488BF28F6DE987F) } }, ++ { { UINT64_C(0x33B9F2DE7BE1F89E), UINT64_C(0xD4E80821299B15C9), ++ UINT64_C(0x87A3067A0E13F37F), UINT64_C(0x6D4C09ED55FD239F), ++ UINT64_C(0x48B1042D92EF014F), UINT64_C(0xA382B2E0B385A759) }, ++ { UINT64_C(0xBF571BB07F6F84F8), UINT64_C(0x25AFFA370CE87F50), ++ UINT64_C(0x826906D3FE54F1BC), UINT64_C(0x6B0421F4C53AE76A), ++ UINT64_C(0x44F85A3A4855EB3C), UINT64_C(0xF49E21518D1F2B27) } }, ++ }, ++ { ++ { { UINT64_C(0xC0426B775E3C647B), UINT64_C(0xBFCBD9398CF05348), ++ UINT64_C(0x31D312E3172C0D3D), UINT64_C(0x5F49FDE6EE754737), ++ UINT64_C(0x895530F06DA7EE61), UINT64_C(0xCF281B0AE8B3A5FB) }, ++ { UINT64_C(0xFD14973541B8A543), UINT64_C(0x41A625A73080DD30), ++ UINT64_C(0xE2BAAE07653908CF), UINT64_C(0xC3D01436BA02A278), ++ UINT64_C(0xA0D0222E7B21B8F8), UINT64_C(0xFDC270E9D7EC1297) } }, ++ { { UINT64_C(0x06A67BD29F101E64), UINT64_C(0xCB6E0AC7E1733A4A), ++ UINT64_C(0xEE0B5D5197BC62D2), UINT64_C(0x52B1703924C51874), ++ UINT64_C(0xFED1F42382A1A0D5), UINT64_C(0x55D90569DB6270AC) }, ++ { UINT64_C(0x36BE4A9C5D73D533), UINT64_C(0xBE9266D6976ED4D5), ++ UINT64_C(0xC17436D3B8F8074B), UINT64_C(0x3BB4D399718545C6), ++ UINT64_C(0x8E1EA3555C757D21), UINT64_C(0xF7EDBC978C474366) } }, ++ { { UINT64_C(0xEC72C6506EA83242), UINT64_C(0xF7DE7BE51B2D237F), ++ UINT64_C(0x3C5E22001819EFB0), UINT64_C(0xDF5AB6D68CDDE870), ++ UINT64_C(0x75A44E9D92A87AEE), UINT64_C(0xBDDC46F4BCF77F19) }, ++ { UINT64_C(0x8191EFBD669B674D), UINT64_C(0x52884DF9ED71768F), ++ UINT64_C(0xE62BE58265CF242C), UINT64_C(0xAE99A3B180B1D17B), ++ UINT64_C(0x48CBB44692DE59A9), UINT64_C(0xD3C226CF2DCB3CE2) } }, ++ { { UINT64_C(0x9580CDFB9FD94EC4), UINT64_C(0xED273A6C28631AD9), ++ UINT64_C(0x5D3D5F77C327F3E7), UINT64_C(0x05D5339C35353C5F), ++ UINT64_C(0xC56FB5FE5C258EB1), UINT64_C(0xEFF8425EEDCE1F79) }, ++ { UINT64_C(0xAB7AA141CF83CF9C), UINT64_C(0xBD2A690A207D6D4F), ++ UINT64_C(0xE1241491458D9E52), UINT64_C(0xDD2448CCAA7F0F31), ++ UINT64_C(0xEC58D3C7F0FDA7AB), UINT64_C(0x7B6E122DC91BBA4D) } }, ++ { { UINT64_C(0x2A2DEDAFB1B48156), UINT64_C(0xA0A2C63ABB93DB87), ++ UINT64_C(0xC655907808ACD99E), UINT64_C(0x03EA42AFFE4AC331), ++ UINT64_C(0x43D2C14AEB180ED6), UINT64_C(0xC2F293DDB1156A1A) }, ++ { UINT64_C(0x1FAFABF5A9D81249), UINT64_C(0x39ADDEAD9A8EEE87), ++ UINT64_C(0x21E206F2119E2E92), UINT64_C(0xBC5DCC2ED74DCEB6), ++ UINT64_C(0x86647FA30A73A358), UINT64_C(0xEAD8BEA42F53F642) } }, ++ { { UINT64_C(0x636225F591C09091), UINT64_C(0xCCF5070A71BDCFDF), ++ UINT64_C(0x0EF8D625B9668EE2), UINT64_C(0x57BDF6CDB5E04E4F), ++ UINT64_C(0xFC6AB0A67C75EA43), UINT64_C(0xEB6B8AFBF7FD6EF3) }, ++ { UINT64_C(0x5B2AEEF02A3DF404), UINT64_C(0x31FD3B48B9823197), ++ UINT64_C(0x56226DB683A7EB23), UINT64_C(0x3772C21E5BB1ED2F), ++ UINT64_C(0x3E833624CD1ABA6A), UINT64_C(0xBAE58FFAAC672DAD) } }, ++ { { UINT64_C(0xCE92224D31BA1705), UINT64_C(0x022C6ED2F0197F63), ++ UINT64_C(0x21F18D99A4DC1113), UINT64_C(0x5CD04DE803616BF1), ++ UINT64_C(0x6F9006799FF12E08), UINT64_C(0xF59A331548E61DDF) }, ++ { UINT64_C(0x9474D42CB51BD024), UINT64_C(0x11A0A4139051E49D), ++ UINT64_C(0x79C92705DCE70EDB), UINT64_C(0x113CE27834198426), ++ UINT64_C(0x8978396FEA8616D2), UINT64_C(0x9A2A14D0EA894C36) } }, ++ { { UINT64_C(0x4F1E1254604F6E4A), UINT64_C(0x4513B0880187D585), ++ UINT64_C(0x9022F25719E0F482), UINT64_C(0x51FB2A80E2239DBF), ++ UINT64_C(0x49940D9E998ED9D5), UINT64_C(0x0583D2416C932C5D) }, ++ { UINT64_C(0x1188CEC8F25B73F7), UINT64_C(0xA28788CB3B3D06CD), ++ UINT64_C(0xDEA194ECA083DB5A), UINT64_C(0xD93A4F7E22DF4272), ++ UINT64_C(0x8D84E4BF6A009C49), UINT64_C(0x893D8DD93E3E4A9E) } }, ++ { { UINT64_C(0x35E909EA33D31160), UINT64_C(0x5020316857172F1E), ++ UINT64_C(0x2707FC4451F3D866), UINT64_C(0xEB9D2018D2442A5D), ++ UINT64_C(0x904D72095DBFE378), UINT64_C(0x6DB132A35F13CF77) }, ++ { UINT64_C(0x9D842BA67A3AF54B), UINT64_C(0x4E16EA195AA5B4F9), ++ UINT64_C(0x2BBA457CAF24228E), UINT64_C(0xCC04B3BB16F3C5FE), ++ UINT64_C(0xBAFAC51677E64944), UINT64_C(0x31580A34F08BCEE0) } }, ++ { { UINT64_C(0xC6808DEE20C30ACA), UINT64_C(0xDADD216FA3EA2056), ++ UINT64_C(0xD331394E7A4A9F9D), UINT64_C(0x9E0441AD424C4026), ++ UINT64_C(0xAEED102F0AEB5350), UINT64_C(0xC6697FBBD45B09DA) }, ++ { UINT64_C(0x52A2590EDEAC1496), UINT64_C(0x7142B831250B87AF), ++ UINT64_C(0xBEF2E68B6D0784A8), UINT64_C(0x5F62593AA5F71CEF), ++ UINT64_C(0x3B8F7616B5DA51A3), UINT64_C(0xC7A6FA0DB680F5FE) } }, ++ { { UINT64_C(0x36C21DE699C8227C), UINT64_C(0xBEE3E867C26813B1), ++ UINT64_C(0x9B05F2E6BDD91549), UINT64_C(0x34FF2B1FA7D1110F), ++ UINT64_C(0x8E6953B937F67FD0), UINT64_C(0x56C7F18BC3183E20) }, ++ { UINT64_C(0x48AF46DE9E2019ED), UINT64_C(0xDEAF972EF551BBBF), ++ UINT64_C(0x88EE38F8CC5E3EEF), UINT64_C(0xFB8D7A44392D6BAF), ++ UINT64_C(0x32293BFC0127187D), UINT64_C(0x7689E767E58647CC) } }, ++ { { UINT64_C(0x00CE901B52168013), UINT64_C(0xC6BF8E38837AAE71), ++ UINT64_C(0xD6F11EFA167677D8), UINT64_C(0xE53BB48586C8E5CF), ++ UINT64_C(0x671167CEC48E74AB), UINT64_C(0x8A40218C8AD720A7) }, ++ { UINT64_C(0x81E827A6E7C1191A), UINT64_C(0x54058F8DADDB153D), ++ UINT64_C(0x0BAF29250D950FA2), UINT64_C(0xC244674D576DDA13), ++ UINT64_C(0x8C4630AE41BCD13B), UINT64_C(0x6C2127BF5A077419) } }, ++ { { UINT64_C(0xCF977FD5A83C501F), UINT64_C(0xD7C6DF36B6AB176F), ++ UINT64_C(0x117F6331397BC6B5), UINT64_C(0x72A6078BF7A2D491), ++ UINT64_C(0xE5A2AAED5242FE2E), UINT64_C(0x88ECFFDCFEBDC212) }, ++ { UINT64_C(0xF2DBBF50CE33BA21), UINT64_C(0xE1343B76CEB19F07), ++ UINT64_C(0x1F32D4C9D2C28F71), UINT64_C(0x93FC64B418587685), ++ UINT64_C(0x39CEEF9BBA1F8BD1), UINT64_C(0x99C36A788D6D6BB0) } }, ++ { { UINT64_C(0x0D0638173E9561CF), UINT64_C(0x1D8646AA3D33704D), ++ UINT64_C(0x8C4513847A08BA33), UINT64_C(0x96446BD3E02D6624), ++ UINT64_C(0x749849F02D6F4166), UINT64_C(0xE364DA0114268BF0) }, ++ { UINT64_C(0x7CE4587E9AEBFCFD), UINT64_C(0xD468606456234393), ++ UINT64_C(0x00231D5116DF73B2), UINT64_C(0xF6A969B77279C78C), ++ UINT64_C(0x1FF1F6B66CB4117C), UINT64_C(0x30AEBC39D3EAB680) } }, ++ { { UINT64_C(0x5CC97E6493EF00B9), UINT64_C(0xDAE13841972345AE), ++ UINT64_C(0x858391844788F43C), UINT64_C(0xD0FF521EE2E6CF3E), ++ UINT64_C(0xAED14A5B4B707C86), UINT64_C(0x7EAAE4A6D2523CF7) }, ++ { UINT64_C(0x266472C5024C8AC6), UINT64_C(0xE47E1522C0170051), ++ UINT64_C(0x7B83DA6173826BAE), UINT64_C(0xE97E19F5CF543F0D), ++ UINT64_C(0x5D5248FA20BF38E2), UINT64_C(0x8A7C2F7DDF56A037) } }, ++ { { UINT64_C(0xB04659DD87B0526C), UINT64_C(0x593C604A2307565E), ++ UINT64_C(0x49E522257C630AB8), UINT64_C(0x24C1D0C6DCE9CD23), ++ UINT64_C(0x6FDB241C85177079), UINT64_C(0x5F521D19F250C351) }, ++ { UINT64_C(0xFB56134BA6FB61DF), UINT64_C(0xA4E70D69D75C07ED), ++ UINT64_C(0xB7A824487D8825A8), UINT64_C(0xA3AEA7D4DD64BBCC), ++ UINT64_C(0xD53E6E6C8692F539), UINT64_C(0x8DDDA83BF7AA4BC0) } }, ++ }, ++ { ++ { { UINT64_C(0x140A0F9FDD93D50A), UINT64_C(0x4799FFDE83B7ABAC), ++ UINT64_C(0x78FF7C2304A1F742), UINT64_C(0xC0568F51195BA34E), ++ UINT64_C(0xE97183603B7F78B4), UINT64_C(0x9CFD1FF1F9EFAA53) }, ++ { UINT64_C(0xE924D2C5BB06022E), UINT64_C(0x9987FA86FAA2AF6D), ++ UINT64_C(0x4B12E73F6EE37E0F), UINT64_C(0x1836FDFA5E5A1DDE), ++ UINT64_C(0x7F1B92259DCD6416), UINT64_C(0xCB2C1B4D677544D8) } }, ++ { { UINT64_C(0x0254486D9C213D95), UINT64_C(0x68A9DB56CB2F6E94), ++ UINT64_C(0xFB5858BA000F5491), UINT64_C(0x1315BDD934009FB6), ++ UINT64_C(0xB18A8E0AC42BDE30), UINT64_C(0xFDCF93D1F1070358) }, ++ { UINT64_C(0xBEB1DB753022937E), UINT64_C(0x9B9ECA7ACAC20DB4), ++ UINT64_C(0x152214D4E4122B20), UINT64_C(0xD3E673F2AABCCC7B), ++ UINT64_C(0x94C50F64AED07571), UINT64_C(0xD767059AE66B4F17) } }, ++ { { UINT64_C(0x40336B12DCD6D14B), UINT64_C(0xF6BCFF5DE3B4919C), ++ UINT64_C(0xC337048D9C841F0C), UINT64_C(0x4CE6D0251D617F50), ++ UINT64_C(0x00FEF2198117D379), UINT64_C(0x18B7C4E9F95BE243) }, ++ { UINT64_C(0x98DE119E38DF08FF), UINT64_C(0xDFD803BD8D772D20), ++ UINT64_C(0x94125B720F9678BD), UINT64_C(0xFC5B57CD334ACE30), ++ UINT64_C(0x09486527B7E86E04), UINT64_C(0xFE9F8BCC6E552039) } }, ++ { { UINT64_C(0x3B75C45BD6F5A10E), UINT64_C(0xFD4680F4C1C35F38), ++ UINT64_C(0x5450227DF8E0A113), UINT64_C(0x5E69F1AE73DDBA24), ++ UINT64_C(0x2007B80E57F24645), UINT64_C(0xC63695DC3D159741) }, ++ { UINT64_C(0xCBE54D294530F623), UINT64_C(0x986AD5732869586B), ++ UINT64_C(0xE19F70594CC39F73), UINT64_C(0x80F00AB32B1B8DA9), ++ UINT64_C(0xB765AAF973F68D26), UINT64_C(0xBC79A394E993F829) } }, ++ { { UINT64_C(0x9C441043F310D2A0), UINT64_C(0x2865EE58DC5EB106), ++ UINT64_C(0x71A959229CB8065C), UINT64_C(0x8EB3A733A052AF0F), ++ UINT64_C(0x56009F42B09D716E), UINT64_C(0xA7F923C5ABCBE6AD) }, ++ { UINT64_C(0x263B7669FA375C01), UINT64_C(0x641C47E521EF27A2), ++ UINT64_C(0xA89B474EB08FFD25), UINT64_C(0x5BE8EC3FF0A239F3), ++ UINT64_C(0x0E79957A242A6C5A), UINT64_C(0x1DFB26D00C6C75F5) } }, ++ { { UINT64_C(0x2FD97B9B9DFBF22A), UINT64_C(0xDEC16CC85643532D), ++ UINT64_C(0xDF0E6E3960FEE7C3), UINT64_C(0xD09AD7B6545860C8), ++ UINT64_C(0xCC16E98473FC3B7C), UINT64_C(0x6CE734C10D4E1555) }, ++ { UINT64_C(0xC6EFE68B4B5F6032), UINT64_C(0x3A64F34C14F54073), ++ UINT64_C(0x25DA689CAC44DC95), UINT64_C(0x990C477E5358AD8A), ++ UINT64_C(0x00E958A5F36DA7DE), UINT64_C(0x902B7360C9B6F161) } }, ++ { { UINT64_C(0x454AB42C9347B90A), UINT64_C(0xCAEBE64AA698B02B), ++ UINT64_C(0x119CDC69FB86FA40), UINT64_C(0x2E5CB7ADC3109281), ++ UINT64_C(0x67BB1EC5CD0C3D00), UINT64_C(0x5D430BC783F25BBF) }, ++ { UINT64_C(0x69FD84A85CDE0ABB), UINT64_C(0x69DA263E9816B688), ++ UINT64_C(0xE52D93DF0E53CBB8), UINT64_C(0x42CF6F25ADD2D5A7), ++ UINT64_C(0x227BA59DC87CA88F), UINT64_C(0x7A1CA876DA738554) } }, ++ { { UINT64_C(0x3FA5C1051CAC82C4), UINT64_C(0x23C760878A78C9BE), ++ UINT64_C(0xE98CDAD61C5CFA42), UINT64_C(0x09C302520A6C0421), ++ UINT64_C(0x149BAC7C42FC61B9), UINT64_C(0x3A1C22AC3004A3E2) }, ++ { UINT64_C(0xDE6B0D6E202C7FED), UINT64_C(0xB2457377E7E63052), ++ UINT64_C(0x31725FD43706B3EF), UINT64_C(0xE16A347D2B1AFDBF), ++ UINT64_C(0xBE4850C48C29CF66), UINT64_C(0x8F51CC4D2939F23C) } }, ++ { { UINT64_C(0x169E025B219AE6C1), UINT64_C(0x55FF526F116E1CA1), ++ UINT64_C(0x01B810A3B191F55D), UINT64_C(0x2D98127229588A69), ++ UINT64_C(0x53C9377048B92199), UINT64_C(0x8C7DD84E8A85236F) }, ++ { UINT64_C(0x293D48B6CAACF958), UINT64_C(0x1F084ACB43572B30), ++ UINT64_C(0x628BFA2DFAD91F28), UINT64_C(0x8D627B11829386AF), ++ UINT64_C(0x3EC1DD00D44A77BE), UINT64_C(0x8D3B0D08649AC7F0) } }, ++ { { UINT64_C(0x00A93DAA177513BF), UINT64_C(0x2EF0B96F42AD79E1), ++ UINT64_C(0x81F5AAF1A07129D9), UINT64_C(0xFC04B7EF923F2449), ++ UINT64_C(0x855DA79560CDB1B7), UINT64_C(0xB1EB5DABAD5D61D4) }, ++ { UINT64_C(0xD2CEF1AE353FD028), UINT64_C(0xC21D54399EE94847), ++ UINT64_C(0x9ED552BB0380C1A8), UINT64_C(0xB156FE7A2BAC328F), ++ UINT64_C(0xBB7E01967213C6A4), UINT64_C(0x36002A331701ED5B) } }, ++ { { UINT64_C(0x20B1632ADDC9EF4D), UINT64_C(0x2A35FF4C272D082B), ++ UINT64_C(0x30D39923F6CC9BD3), UINT64_C(0x6D879BC2E65C9D08), ++ UINT64_C(0xCE8274E16FA9983C), UINT64_C(0x652371E80EB7424F) }, ++ { UINT64_C(0x32B77503C5C35282), UINT64_C(0xD7306333C885A931), ++ UINT64_C(0x8A16D71972955AA8), UINT64_C(0x5548F1637D51F882), ++ UINT64_C(0xB311DC66BABA59EF), UINT64_C(0x773D54480DB8F627) } }, ++ { { UINT64_C(0x59B1B1347A62EB3B), UINT64_C(0x0F8CE157CCEEFB34), ++ UINT64_C(0x3FE842A8A798CB2B), UINT64_C(0xD01BC6260BF4161D), ++ UINT64_C(0x55EF6E554D016FDB), UINT64_C(0xCB561503B242B201) }, ++ { UINT64_C(0x076EBC73AF4199C1), UINT64_C(0x39DEDCBB697244F7), ++ UINT64_C(0x9D184733040162BC), UINT64_C(0x902992C17F6B5FA6), ++ UINT64_C(0xAD1DE754BB4952B5), UINT64_C(0x7ACF1B93A121F6C8) } }, ++ { { UINT64_C(0x7A56867C325C9B9A), UINT64_C(0x1A143999F3DC3D6A), ++ UINT64_C(0xCE10959003F5BCB8), UINT64_C(0x034E9035D6EEE5B7), ++ UINT64_C(0x2AFA81C8495DF1BC), UINT64_C(0x5EAB52DC08924D02) }, ++ { UINT64_C(0xEE6AA014AA181904), UINT64_C(0xE62DEF09310AD621), ++ UINT64_C(0x6C9792FCC7538A03), UINT64_C(0xA89D3E883E41D789), ++ UINT64_C(0xD60FA11C9F94AE83), UINT64_C(0x5E16A8C2E0D6234A) } }, ++ { { UINT64_C(0x87EC053DA9242F3B), UINT64_C(0x99544637F0E03545), ++ UINT64_C(0xEA0633FF6B7019E9), UINT64_C(0x8CB8AE0768DDDB5B), ++ UINT64_C(0x892E7C841A811AC7), UINT64_C(0xC7EF19EB73664249) }, ++ { UINT64_C(0xD1B5819ACD1489E3), UINT64_C(0xF9C80FB0DE45D24A), ++ UINT64_C(0x045C21A683BB7491), UINT64_C(0xA65325BE73F7A47D), ++ UINT64_C(0x08D09F0E9C394F0C), UINT64_C(0xE7FB21C6268D4F08) } }, ++ { { UINT64_C(0xC4CCAB956CA95C18), UINT64_C(0x563FFD56BC42E040), ++ UINT64_C(0xFA3C64D8E701C604), UINT64_C(0xC88D4426B0ABAFEE), ++ UINT64_C(0x1A353E5E8542E4C3), UINT64_C(0x9A2D8B7CED726186) }, ++ { UINT64_C(0xD61CE19042D097FA), UINT64_C(0x6A63E280799A748B), ++ UINT64_C(0x0F48D0633225486B), UINT64_C(0x848F8FE142A3C443), ++ UINT64_C(0x2CCDE2508493CEF4), UINT64_C(0x5450A50845E77E7C) } }, ++ { { UINT64_C(0xD0F4E24803112816), UINT64_C(0xFCAD9DDBCCBE9E16), ++ UINT64_C(0x177999BF5AE01EA0), UINT64_C(0xD20C78B9CE832DCE), ++ UINT64_C(0x3CC694FB50C8C646), UINT64_C(0x24D75968C93D4887) }, ++ { UINT64_C(0x9F06366A87BC08AF), UINT64_C(0x59FAB50E7FD0DF2A), ++ UINT64_C(0x5FFCC7F76C4CC234), UINT64_C(0x87198DD765F52D86), ++ UINT64_C(0x5B9C94B0A855DF04), UINT64_C(0xD8BA6C738A067AD7) } }, ++ }, ++ { ++ { { UINT64_C(0x9E9AF3151C4C9D90), UINT64_C(0x8665C5A9D12E0A89), ++ UINT64_C(0x204ABD9258286493), UINT64_C(0x79959889B2E09205), ++ UINT64_C(0x0C727A3DFE56B101), UINT64_C(0xF366244C8B657F26) }, ++ { UINT64_C(0xDE35D954CCA65BE2), UINT64_C(0x52EE1230B0FD41CE), ++ UINT64_C(0xFA03261F36019FEE), UINT64_C(0xAFDA42D966511D8F), ++ UINT64_C(0xF63211DD821148B9), UINT64_C(0x7B56AF7E6F13A3E1) } }, ++ { { UINT64_C(0x47FE47995913E184), UINT64_C(0x5BBE584C82145900), ++ UINT64_C(0xB76CFA8B9A867173), UINT64_C(0x9BC87BF0514BF471), ++ UINT64_C(0x37392DCE71DCF1FC), UINT64_C(0xEC3EFAE03AD1EFA8) }, ++ { UINT64_C(0xBBEA5A3414876451), UINT64_C(0x96E5F5436217090F), ++ UINT64_C(0x5B3D4ECD9B1665A9), UINT64_C(0xE7B0DF26E329DF22), ++ UINT64_C(0x18FB438E0BAA808D), UINT64_C(0x90757EBFDD516FAF) } }, ++ { { UINT64_C(0x1E6F9A95D5A98D68), UINT64_C(0x759EA7DF849DA828), ++ UINT64_C(0x365D56256E8B4198), UINT64_C(0xE1B9C53B7A4A53F9), ++ UINT64_C(0x55DC1D50E32B9B16), UINT64_C(0xA4657EBBBB6D5701) }, ++ { UINT64_C(0x4C270249EACC76E2), UINT64_C(0xBE49EC75162B1CC7), ++ UINT64_C(0x19A95B610689902B), UINT64_C(0xDD5706BFA4CFC5A8), ++ UINT64_C(0xD33BDB7314E5B424), UINT64_C(0x21311BD1E69EBA87) } }, ++ { { UINT64_C(0x75BA2F9B72A21ACC), UINT64_C(0x356688D4A28EDB4C), ++ UINT64_C(0x3C339E0B610D080F), UINT64_C(0x614AC29333A99C2F), ++ UINT64_C(0xA5E23AF2AA580AFF), UINT64_C(0xA6BCB860E1FDBA3A) }, ++ { UINT64_C(0xAA603365B43F9425), UINT64_C(0xAE8D7126F7EE4635), ++ UINT64_C(0xA2B2524456330A32), UINT64_C(0xC396B5BB9E025AA3), ++ UINT64_C(0xABBF77FAF8A0D5CF), UINT64_C(0xB322EE30EA31C83B) } }, ++ { { UINT64_C(0x048813847890E234), UINT64_C(0x387F1159672E70C6), ++ UINT64_C(0x1468A6147B307F75), UINT64_C(0x56335B52ED85EC96), ++ UINT64_C(0xDA1BB60FD45BCAE9), UINT64_C(0x4D94F3F0F9FAEADD) }, ++ { UINT64_C(0x6C6A7183FC78D86B), UINT64_C(0xA425B5C73018DEC6), ++ UINT64_C(0xB1549C332D877399), UINT64_C(0x6C41C50C92B2BC37), ++ UINT64_C(0x3A9F380C83EE0DDB), UINT64_C(0xDED5FEB6C4599E73) } }, ++ { { UINT64_C(0x14D34C210B7F8354), UINT64_C(0x1475A1CD9177CE45), ++ UINT64_C(0x9F5F764A9B926E4B), UINT64_C(0x77260D1E05DD21FE), ++ UINT64_C(0x3C882480C4B937F7), UINT64_C(0xC92DCD39722372F2) }, ++ { UINT64_C(0xF636A1BEEC6F657E), UINT64_C(0xB0E6C3121D30DD35), ++ UINT64_C(0xFE4B0528E4654EFE), UINT64_C(0x1C4A682021D230D2), ++ UINT64_C(0x615D2E4898FA45AB), UINT64_C(0x1F35D6D801FDBABF) } }, ++ { { UINT64_C(0xA636EEB83A7B10D1), UINT64_C(0x4E1AE352F4A29E73), ++ UINT64_C(0x01704F5FE6BB1EC7), UINT64_C(0x75C04F720EF020AE), ++ UINT64_C(0x448D8CEE5A31E6A6), UINT64_C(0xE40A9C29208F994B) }, ++ { UINT64_C(0x69E09A30FD8F9D5D), UINT64_C(0xE6A5F7EB449BAB7E), ++ UINT64_C(0xF25BC18A2AA1768B), UINT64_C(0x9449E4043C841234), ++ UINT64_C(0x7A3BF43E016A7BEF), UINT64_C(0xF25803E82A150B60) } }, ++ { { UINT64_C(0xE44A2A57B215F9E0), UINT64_C(0x38B34DCE19066F0A), ++ UINT64_C(0x8BB91DAD40BB1BFB), UINT64_C(0x64C9F775E67735FC), ++ UINT64_C(0xDE14241788D613CD), UINT64_C(0xC5014FF51901D88D) }, ++ { UINT64_C(0xA250341DF38116B0), UINT64_C(0xF96B9DD49D6CBCB2), ++ UINT64_C(0x15EC6C7276B3FAC2), UINT64_C(0x88F1952F8124C1E9), ++ UINT64_C(0x6B72F8EA975BE4F5), UINT64_C(0x23D288FF061F7530) } }, ++ { { UINT64_C(0xEBFE3E5FAFB96CE3), UINT64_C(0x2275EDFBB1979537), ++ UINT64_C(0xC37AB9E8C97BA741), UINT64_C(0x446E4B1063D7C626), ++ UINT64_C(0xB73E2DCED025EB02), UINT64_C(0x1F952B517669EEA7) }, ++ { UINT64_C(0xABDD00F66069A424), UINT64_C(0x1C0F9D9BDC298BFB), ++ UINT64_C(0x831B1FD3EB757B33), UINT64_C(0xD7DBE18359D60B32), ++ UINT64_C(0x663D1F369EF094B3), UINT64_C(0x1BD5732E67F7F11A) } }, ++ { { UINT64_C(0x3C7FB3F5C75D8892), UINT64_C(0x2CFF9A0CBA68DA69), ++ UINT64_C(0x76455E8B60EC740B), UINT64_C(0x4B8D67FF167B88F0), ++ UINT64_C(0xEDEC0C025A4186B1), UINT64_C(0x127C462DBEBF35AB) }, ++ { UINT64_C(0x9159C67E049430FC), UINT64_C(0x86B21DD2E7747320), ++ UINT64_C(0x0E0E01520CF27B89), UINT64_C(0x705F28F5CD1316B6), ++ UINT64_C(0x76751691BEAEA8A8), UINT64_C(0x4C73E282360C5B69) } }, ++ { { UINT64_C(0x46BCC0D5FD7B3D74), UINT64_C(0x6F13C20E0DC4F410), ++ UINT64_C(0x98A1AF7D72F11CDF), UINT64_C(0x6099FD837928881C), ++ UINT64_C(0x66976356371BB94B), UINT64_C(0x673FBA7219B945AB) }, ++ { UINT64_C(0xE4D8FA6EAED00700), UINT64_C(0xEA2313EC5C71A9F7), ++ UINT64_C(0xF9ED8268F99D4AEA), UINT64_C(0xADD8916442AB59C7), ++ UINT64_C(0xB37EB26F3F3A2D45), UINT64_C(0x0B39BD7AA924841E) } }, ++ { { UINT64_C(0xD811EB32E03CDBBB), UINT64_C(0x12055F1D7CC3610E), ++ UINT64_C(0x6B23A1A0A9046E3F), UINT64_C(0x4D7121229DD4A749), ++ UINT64_C(0xB0C2ACA1B1BF0AC3), UINT64_C(0x71EFF575C1B0432F) }, ++ { UINT64_C(0x6CD814922B44E285), UINT64_C(0x3088BD9CD87E8D20), ++ UINT64_C(0xACE218E5F567E8FA), UINT64_C(0xB3FA0424CF90CBBB), ++ UINT64_C(0xADBDA751770734D3), UINT64_C(0xBCD78BAD5AD6569A) } }, ++ { { UINT64_C(0xCADB31FA7F39641F), UINT64_C(0x3EF3E295825E5562), ++ UINT64_C(0x4893C633F4094C64), UINT64_C(0x52F685F18ADDF432), ++ UINT64_C(0x9FD887AB7FDC9373), UINT64_C(0x47A9ADA0E8680E8B) }, ++ { UINT64_C(0x579313B7F0CD44F6), UINT64_C(0xAC4B8668E188AE2E), ++ UINT64_C(0x648F43698FB145BD), UINT64_C(0xE0460AB374629E31), ++ UINT64_C(0xC25F28758FF2B05F), UINT64_C(0x4720C2B62D31EAEA) } }, ++ { { UINT64_C(0x4603CDF413D48F80), UINT64_C(0x9ADB50E2A49725DA), ++ UINT64_C(0x8CD3305065DF63F0), UINT64_C(0x58D8B3BBCD643003), ++ UINT64_C(0x170A4F4AB739826B), UINT64_C(0x857772B51EAD0E17) }, ++ { UINT64_C(0x01B78152E65320F1), UINT64_C(0xA6B4D845B7503FC0), ++ UINT64_C(0x0F5089B93DD50798), UINT64_C(0x488F200F5690B6BE), ++ UINT64_C(0x220B4ADF9E096F36), UINT64_C(0x474D7C9F8CE5BC7C) } }, ++ { { UINT64_C(0xFED8C058C745F8C9), UINT64_C(0xB683179E291262D1), ++ UINT64_C(0x26ABD367D15EE88C), UINT64_C(0x29E8EED3F60A6249), ++ UINT64_C(0xED6008BB1E02D6E1), UINT64_C(0xD82ECF4CA6B12B8D) }, ++ { UINT64_C(0x9929D021AAE4FA22), UINT64_C(0xBE4DEF14336A1AB3), ++ UINT64_C(0x529B7E098C80A312), UINT64_C(0xB059188DEE0EB0CE), ++ UINT64_C(0x1E42979A16DEAB7F), UINT64_C(0x2411034984EE9477) } }, ++ { { UINT64_C(0xD65246852BE579CC), UINT64_C(0x849316F1C456FDED), ++ UINT64_C(0xC51B7DA42D1B67DA), UINT64_C(0xC25B539E41BC6D6A), ++ UINT64_C(0xE3B7CCA3A9BF8BED), UINT64_C(0x813EF18C045C15E4) }, ++ { UINT64_C(0x5F3789A1697982C4), UINT64_C(0x4C1253698C435566), ++ UINT64_C(0x00A7AE6EDC0A92C6), UINT64_C(0x1ABC929B2F64A053), ++ UINT64_C(0xF4925C4C38666B44), UINT64_C(0xA81044B00F3DE7F6) } }, ++ }, ++ { ++ { { UINT64_C(0xBCC88422C2EC3731), UINT64_C(0x78A3E4D410DC4EC2), ++ UINT64_C(0x745DA1EF2571D6B1), UINT64_C(0xF01C2921739A956E), ++ UINT64_C(0xEFFD8065E4BFFC16), UINT64_C(0x6EFE62A1F36FE72C) }, ++ { UINT64_C(0xF49E90D20F4629A4), UINT64_C(0xADD1DCC78CE646F4), ++ UINT64_C(0xCB78B583B7240D91), UINT64_C(0x2E1A7C3C03F8387F), ++ UINT64_C(0x16566C223200F2D9), UINT64_C(0x2361B14BAAF80A84) } }, ++ { { UINT64_C(0xDB1CFFD2B5733309), UINT64_C(0x24BC250B0F9DD939), ++ UINT64_C(0xA4181E5AA3C1DB85), UINT64_C(0xE5183E51AC55D391), ++ UINT64_C(0x2793D5EFEFD270D0), UINT64_C(0x7D56F63DC0631546) }, ++ { UINT64_C(0xECB40A590C1EE59D), UINT64_C(0xE613A9E4BB5BFA2C), ++ UINT64_C(0xA89B14AB6C5830F9), UINT64_C(0x4DC477DCA03F201E), ++ UINT64_C(0x5604F5DAC88C54F6), UINT64_C(0xD49264DC2ACFC66E) } }, ++ { { UINT64_C(0x283DD7F01C4DFA95), UINT64_C(0xB898CC2C62C0B160), ++ UINT64_C(0xBA08C095870282AA), UINT64_C(0xB02B00D8F4E36324), ++ UINT64_C(0x53AADDC0604CECF2), UINT64_C(0xF1F927D384DDD24E) }, ++ { UINT64_C(0x34BC00A0E2ABC9E1), UINT64_C(0x2DA1227D60289F88), ++ UINT64_C(0x5228EAAACEF68F74), UINT64_C(0x40A790D23C029351), ++ UINT64_C(0xE0E9AF5C8442E3B7), UINT64_C(0xA3214142A9F141E0) } }, ++ { { UINT64_C(0x72F4949EF9A58E3D), UINT64_C(0x738C700BA48660A6), ++ UINT64_C(0x71B04726092A5805), UINT64_C(0xAD5C3C110F5CDB72), ++ UINT64_C(0xD4951F9E554BFC49), UINT64_C(0xEE594EE56131EBE7) }, ++ { UINT64_C(0x37DA59F33C1AF0A9), UINT64_C(0xD7AFC73BCB040A63), ++ UINT64_C(0xD020962A4D89FA65), UINT64_C(0x2610C61E71D824F5), ++ UINT64_C(0x9C917DA73C050E31), UINT64_C(0x3840F92FE6E7EBFB) } }, ++ { { UINT64_C(0x50FBD7FE8D8B8CED), UINT64_C(0xC7282F7547D240AE), ++ UINT64_C(0x79646A471930FF73), UINT64_C(0x2E0BAC4E2F7F5A77), ++ UINT64_C(0x0EE44FA526127E0B), UINT64_C(0x678881B782BC2AA7) }, ++ { UINT64_C(0xB9E5D38467F5F497), UINT64_C(0x8F94A7D4A9B7106B), ++ UINT64_C(0xBF7E0B079D329F68), UINT64_C(0x169B93EA45D192FB), ++ UINT64_C(0xCCAA946720DBE8C0), UINT64_C(0xD4513A50938F9574) } }, ++ { { UINT64_C(0x841C96B4054CB874), UINT64_C(0xD75B1AF1A3C26834), ++ UINT64_C(0x7237169DEE6575F0), UINT64_C(0xD71FC7E50322AADC), ++ UINT64_C(0xD7A23F1E949E3A8E), UINT64_C(0x77E2D102DD31D8C7) }, ++ { UINT64_C(0x5AD69D09D10F5A1F), UINT64_C(0x526C9CB4B99D9A0B), ++ UINT64_C(0x521BB10B972B237D), UINT64_C(0x1E4CD42FA326F342), ++ UINT64_C(0x5BB6DB27F0F126CA), UINT64_C(0x587AF22CA4A515AD) } }, ++ { { UINT64_C(0x1123A531B12E542F), UINT64_C(0x1D01A64DB9EB2811), ++ UINT64_C(0xA4A3515BF2D70F87), UINT64_C(0xFA205234B4BD0270), ++ UINT64_C(0x74B818305EDA26B9), UINT64_C(0x9305D6E656578E75) }, ++ { UINT64_C(0xF38E69DE9F11BE19), UINT64_C(0x1E2A5C2344DBE89F), ++ UINT64_C(0x1077E7BCFD286654), UINT64_C(0xD36698940FCA4741), ++ UINT64_C(0x893BF904278F8497), UINT64_C(0xD6AC5F83EB3E14F4) } }, ++ { { UINT64_C(0x327B9DAB488F5F74), UINT64_C(0x2B44F4B8CAB7364F), ++ UINT64_C(0xB4A6D22D19B6C6BD), UINT64_C(0xA087E613FC77CD3E), ++ UINT64_C(0x4558E327B0B49BC7), UINT64_C(0x188805BECD835D35) }, ++ { UINT64_C(0x592F293CC1DC1007), UINT64_C(0xFAEE660F6AF02B44), ++ UINT64_C(0x5BFBB3BF904035F2), UINT64_C(0xD7C9AE6079C07E70), ++ UINT64_C(0xC5287DD4234896C2), UINT64_C(0xC4CE4523CB0E4121) } }, ++ { { UINT64_C(0x3626B40658344831), UINT64_C(0xABCCE3568E55C984), ++ UINT64_C(0x495CC81C77241602), UINT64_C(0x4FB796766D70DF8F), ++ UINT64_C(0x6354B37C5B071DCA), UINT64_C(0x2CAD80A48C0FC0AD) }, ++ { UINT64_C(0x18AADD51F68739B4), UINT64_C(0x1BFBB17747F09C6C), ++ UINT64_C(0x9355EA19A8FD51C4), UINT64_C(0x3D512A84EE58DB7B), ++ UINT64_C(0x70842AFDE9237640), UINT64_C(0x36F515CAACAF858D) } }, ++ { { UINT64_C(0x3DDEC7C47E768B23), UINT64_C(0x97E13C53036D43ED), ++ UINT64_C(0x871E59253A39AB5F), UINT64_C(0x9AF292DE07E68E2B), ++ UINT64_C(0x411583494A40112E), UINT64_C(0xCDBB46AF3D4D97E6) }, ++ { UINT64_C(0x2F8912933C0EBE40), UINT64_C(0x696C7EEE3EBAD1E5), ++ UINT64_C(0x8A5F3B6933B50D99), UINT64_C(0xB7BC48407ED47DDE), ++ UINT64_C(0x3A6F8E6C1E6706D8), UINT64_C(0x6A1479433D84BB8F) } }, ++ { { UINT64_C(0xEC3A9C78603AE8D1), UINT64_C(0xBFE07E37228C29E5), ++ UINT64_C(0xB0385C5B396DBC2B), UINT64_C(0x7C14FE83DF85F41F), ++ UINT64_C(0xE2E64676ADFD463E), UINT64_C(0x5BEF10AA8BF9F23D) }, ++ { UINT64_C(0xFA83EA0DF6BAB6DA), UINT64_C(0xCD0C8BA5966BF7E3), ++ UINT64_C(0xD62216B498501C2E), UINT64_C(0xB7F298A4C3E69F2D), ++ UINT64_C(0x42CEF13B9C8740F4), UINT64_C(0xBB317E520DD64307) } }, ++ { { UINT64_C(0x22B6245C3FFEE775), UINT64_C(0x5C3F60BEB37CE7AA), ++ UINT64_C(0xDE195D40E1FEC0DF), UINT64_C(0x3BFAFBC5A0A82074), ++ UINT64_C(0xC36EC86AC72CA86A), UINT64_C(0x5606285113FD43EA) }, ++ { UINT64_C(0x8686BE808E0B03A4), UINT64_C(0xC3BD1F93D540D440), ++ UINT64_C(0x13E4EBC0BF96CEC5), UINT64_C(0xE8E239849190C844), ++ UINT64_C(0x183593A600844802), UINT64_C(0x467168794D206878) } }, ++ { { UINT64_C(0x358F394DB6F63D19), UINT64_C(0xA75D48496B052194), ++ UINT64_C(0x584035905C8D7975), UINT64_C(0x86DC9B6B6CBFBD77), ++ UINT64_C(0x2DB04D77647A51E5), UINT64_C(0x5E9A5B02F8950D88) }, ++ { UINT64_C(0xCE69A7E5017168B0), UINT64_C(0x94630FACC4843AD3), ++ UINT64_C(0xB3B9D7361EFC44FF), UINT64_C(0xE729E9B6B14D7F93), ++ UINT64_C(0xA071FC60E0ED0ABC), UINT64_C(0xFC1A99718C8D9B83) } }, ++ { { UINT64_C(0x49686031D138E975), UINT64_C(0x648640385A8EF0D1), ++ UINT64_C(0x32679713E7F7DE49), UINT64_C(0x5913234929D1CD1D), ++ UINT64_C(0x849AA23A20BE9ED2), UINT64_C(0x15D303E1284B3F33) }, ++ { UINT64_C(0x37309475B63F9FE9), UINT64_C(0x327BAC8B45B7256A), ++ UINT64_C(0x291CD227D17FC5D3), UINT64_C(0x8291D8CDA973EDF1), ++ UINT64_C(0xF3843562437ABA09), UINT64_C(0x33FFB704271D0785) } }, ++ { { UINT64_C(0x5248D6E447E11E5E), UINT64_C(0x0F66FC3C269C7ED3), ++ UINT64_C(0x18C0D2B9903E346E), UINT64_C(0xD81D9D974BEAE1B8), ++ UINT64_C(0x610326B0FC30FDF3), UINT64_C(0x2B13687019A7DFCD) }, ++ { UINT64_C(0xEC75F70AB9527676), UINT64_C(0x90829F5129A3D897), ++ UINT64_C(0x92FE180997980302), UINT64_C(0xA3F2498E68474991), ++ UINT64_C(0x6A66307B0F22BBAD), UINT64_C(0x32014B9120378557) } }, ++ { { UINT64_C(0x72CD7D553CD98610), UINT64_C(0xC3D560B074504ADF), ++ UINT64_C(0x23F0A982CEBB5D5D), UINT64_C(0x1431C15BB839DDB8), ++ UINT64_C(0x7E207CD8CEB72207), UINT64_C(0x28E0A848E7EFB28D) }, ++ { UINT64_C(0xD22561FE1BD96F6E), UINT64_C(0x04812C1862A8236B), ++ UINT64_C(0xA0BF2334975491FA), UINT64_C(0x294F42A6435DF87F), ++ UINT64_C(0x2772B783A5D6F4F6), UINT64_C(0x348F92ED2724F853) } }, ++ }, ++ { ++ { { UINT64_C(0xC20FB9111A42E5E7), UINT64_C(0x075A678B81D12863), ++ UINT64_C(0x12BCBC6A5CC0AA89), UINT64_C(0x5279C6AB4FB9F01E), ++ UINT64_C(0xBC8E178911AE1B89), UINT64_C(0xAE74A706C290003C) }, ++ { UINT64_C(0x9949D6EC79DF3F45), UINT64_C(0xBA18E26296C8D37F), ++ UINT64_C(0x68DE6EE2DD2275BF), UINT64_C(0xA9E4FFF8C419F1D5), ++ UINT64_C(0xBC759CA4A52B5A40), UINT64_C(0xFF18CBD863B0996D) } }, ++ { { UINT64_C(0x73C57FDED7DD47E5), UINT64_C(0xB0FE5479D49A7F5D), ++ UINT64_C(0xD25C71F1CFB9821E), UINT64_C(0x9427E209CF6A1D68), ++ UINT64_C(0xBF3C3916ACD24E64), UINT64_C(0x7E9F5583BDA7B8B5) }, ++ { UINT64_C(0xE7C5F7C8CF971E11), UINT64_C(0xEC16D5D73C7F035E), ++ UINT64_C(0x818DC472E66B277C), UINT64_C(0x4413FD47B2816F1E), ++ UINT64_C(0x40F262AF48383C6D), UINT64_C(0xFB0575844F190537) } }, ++ { { UINT64_C(0x487EDC0708962F6B), UINT64_C(0x6002F1E7190A7E55), ++ UINT64_C(0x7FC62BEA10FDBA0C), UINT64_C(0xC836BBC52C3DBF33), ++ UINT64_C(0x4FDFB5C34F7D2A46), UINT64_C(0x824654DEDCA0DF71) }, ++ { UINT64_C(0x30A076760C23902B), UINT64_C(0x7F1EBB9377FBBF37), ++ UINT64_C(0xD307D49DFACC13DB), UINT64_C(0x148D673AAE1A261A), ++ UINT64_C(0xE008F95B52D98650), UINT64_C(0xC76144409F558FDE) } }, ++ { { UINT64_C(0x17CD6AF69CB16650), UINT64_C(0x86CC27C169F4EEBE), ++ UINT64_C(0x7E495B1D78822432), UINT64_C(0xFED338E31B974525), ++ UINT64_C(0x527743D386F3CE21), UINT64_C(0x87948AD3B515C896) }, ++ { UINT64_C(0x9FDE7039B17F2FB8), UINT64_C(0xA2FA9A5FD9B89D96), ++ UINT64_C(0x5D46600B36FF74DC), UINT64_C(0x8EA74B048302C3C9), ++ UINT64_C(0xD560F570F744B5EB), UINT64_C(0xC921023BFE762402) } }, ++ { { UINT64_C(0xA35AB657FFF4C8ED), UINT64_C(0x017C61248A5FABD7), ++ UINT64_C(0x5646302509ACDA28), UINT64_C(0x6038D36114CF238A), ++ UINT64_C(0x1428B1B6AF1B9F07), UINT64_C(0x5827FF447482E95C) }, ++ { UINT64_C(0xCB997E18780FF362), UINT64_C(0x2B89D702E0BCAC1E), ++ UINT64_C(0xC632A0B5A837DDC8), UINT64_C(0xF3EFCF1F59762647), ++ UINT64_C(0xE9BA309A38B0D60A), UINT64_C(0x05DEABDD20B5FB37) } }, ++ { { UINT64_C(0xD44E5DBACB8AF047), UINT64_C(0x15400CB4943CFE82), ++ UINT64_C(0xDBD695759DF88B67), UINT64_C(0x8299DB2BB2405A7D), ++ UINT64_C(0x46E3BF770B1D80CD), UINT64_C(0xC50CF66CE82BA3D9) }, ++ { UINT64_C(0xB2910A07F2F747A9), UINT64_C(0xF6B669DB5ADC89C1), ++ UINT64_C(0x3B5EF1A09052B081), UINT64_C(0x0F5D5ED3B594ACE2), ++ UINT64_C(0xDA30B8D5D5F01320), UINT64_C(0x0D688C5EAAFCD58F) } }, ++ { { UINT64_C(0x5EEE3A312A161074), UINT64_C(0x6BAAAE56EFE2BE37), ++ UINT64_C(0xF9787F61E3D78698), UINT64_C(0xC6836B2650630A30), ++ UINT64_C(0x7445B85D1445DEF1), UINT64_C(0xD72016A2D568A6A5) }, ++ { UINT64_C(0x9DD6F533E355614F), UINT64_C(0x637E7E5F91E04588), ++ UINT64_C(0x42E142F3B9FB1391), UINT64_C(0x0D07C05C41AFE5DA), ++ UINT64_C(0xD7CD25C81394EDF1), UINT64_C(0xEBE6A0FCB99288EE) } }, ++ { { UINT64_C(0xB8E63B7BBABBAD86), UINT64_C(0x63226A9F90D66766), ++ UINT64_C(0x263818365CF26666), UINT64_C(0xCCBD142D4CADD0BF), ++ UINT64_C(0xA070965E9AC29470), UINT64_C(0x6BDCA26025FF23ED) }, ++ { UINT64_C(0xD4E00FD487DCA7B3), UINT64_C(0xA50978339E0E8734), ++ UINT64_C(0xF73F162E048173A4), UINT64_C(0xD23F91969C3C2FA2), ++ UINT64_C(0x9AB98B45E4AC397A), UINT64_C(0x2BAA0300543F2D4B) } }, ++ { { UINT64_C(0xBBBE15E7C658C445), UINT64_C(0xB8CBCB20C28941D1), ++ UINT64_C(0x65549BE2027D6540), UINT64_C(0xEBBCA8021E8EF4F4), ++ UINT64_C(0x18214B4BD2ACA397), UINT64_C(0xCBEC7DE2E31784A3) }, ++ { UINT64_C(0x96F0533F0116FDF3), UINT64_C(0x68911C905C8F5EE1), ++ UINT64_C(0x7DE9A3AED568603A), UINT64_C(0x3F56C52C6A3AD7B7), ++ UINT64_C(0x5BE9AFCA670B4D0E), UINT64_C(0x628BFEEE375DFE2F) } }, ++ { { UINT64_C(0x97DAE81BDD4ADDB3), UINT64_C(0x12D2CF4E8704761B), ++ UINT64_C(0x5E820B403247788D), UINT64_C(0x82234B620051CA80), ++ UINT64_C(0x0C62704D6CB5EA74), UINT64_C(0xDE56042023941593) }, ++ { UINT64_C(0xB3912A3CF1B04145), UINT64_C(0xE3967CD7AF93688D), ++ UINT64_C(0x2E2DCD2F58DABB4B), UINT64_C(0x6564836F0E303911), ++ UINT64_C(0x1F10F19BECE07C5C), UINT64_C(0xB47F07EED8919126) } }, ++ { { UINT64_C(0xE3545085E9A2EEC9), UINT64_C(0x81866A972C8E51FE), ++ UINT64_C(0xD2BA7DB550027243), UINT64_C(0x29DAEAB54AE87DE4), ++ UINT64_C(0x5EF3D4B8684F9497), UINT64_C(0xE2DACE3B9D5D6873) }, ++ { UINT64_C(0xF012C951FFD29C9C), UINT64_C(0x48289445ADBADA14), ++ UINT64_C(0x8751F50D89558C49), UINT64_C(0x75511A4F99E35BEE), ++ UINT64_C(0xEF802D6E7D59AA5F), UINT64_C(0x14FCAD65A2A795E2) } }, ++ { { UINT64_C(0xC8EB00E808CB8F2C), UINT64_C(0x686075322B45BD86), ++ UINT64_C(0x7A29B45959969713), UINT64_C(0x5FA15B9BD684201B), ++ UINT64_C(0x1A853190B9E538EE), UINT64_C(0x4150605CD573D043) }, ++ { UINT64_C(0xEF011D3BEB9FBB68), UINT64_C(0x6727998266AE32B6), ++ UINT64_C(0x861B86EA445DE5EC), UINT64_C(0x62837D18A34A50E1), ++ UINT64_C(0x228C006ABF5F0663), UINT64_C(0xE007FDE7396DB36A) } }, ++ { { UINT64_C(0xDEE4F8815A916A55), UINT64_C(0x20DC0370F39C82CB), ++ UINT64_C(0xD9A7161540F09821), UINT64_C(0xD50AD8BFF7273492), ++ UINT64_C(0xA06F7D1232E7C4BF), UINT64_C(0xFA0F61544C5CEA36) }, ++ { UINT64_C(0xF4FD9BED5FC49CFE), UINT64_C(0xD8CB45D1C9291678), ++ UINT64_C(0x94DB86CC7B92C9F2), UINT64_C(0x09CA5F3873C81169), ++ UINT64_C(0x109F40B0AEED06F0), UINT64_C(0x9F0360B214DCAA0A) } }, ++ { { UINT64_C(0x4189B70DE12AD3E7), UINT64_C(0x5208ADB210B06607), ++ UINT64_C(0xEBD8E2A2EE8497FA), UINT64_C(0x61B1BD67E04F2ECB), ++ UINT64_C(0x0E2DDA724F3F5F99), UINT64_C(0xD5D96740F747B16D) }, ++ { UINT64_C(0x308A48F6A6BF397F), UINT64_C(0x7021C3E523A93595), ++ UINT64_C(0xF10B022936470AA0), UINT64_C(0x7761E8EC4E03295B), ++ UINT64_C(0x16EFEF5807339770), UINT64_C(0x0D55D2DD5DA5DAA2) } }, ++ { { UINT64_C(0x915EA6A38A22F87A), UINT64_C(0x191151C12E5A088E), ++ UINT64_C(0x190252F17F1D5CBE), UINT64_C(0xE43F59C33B0EC99B), ++ UINT64_C(0xBE8588D4FF2A6135), UINT64_C(0x103877CC2ECB4B9F) }, ++ { UINT64_C(0x8F4147E5023CF92B), UINT64_C(0xC24384CC0CC2085B), ++ UINT64_C(0x6A2DB4A2D082D311), UINT64_C(0x06283811ED7BA9AE), ++ UINT64_C(0xE9A3F5322A8E1592), UINT64_C(0xAC20F0F45A59E894) } }, ++ { { UINT64_C(0x788CAA5274AAB4B1), UINT64_C(0xEB84ABA12FEAFC7E), ++ UINT64_C(0x31DA71DAAC04FF77), UINT64_C(0x39D12EB924E4D0BF), ++ UINT64_C(0x4F2F292F87A34EF8), UINT64_C(0x9B324372A237A8ED) }, ++ { UINT64_C(0xBB2D04B12EE3A82D), UINT64_C(0xED4FF367D18D36B2), ++ UINT64_C(0x99D231EEA6EA0138), UINT64_C(0x7C2D4F064F92E04A), ++ UINT64_C(0x78A82AB2CA272FD0), UINT64_C(0x7EC41340AB8CDC32) } }, ++ }, ++ { ++ { { UINT64_C(0xD23658C8D2E15A8C), UINT64_C(0x23F93DF716BA28CA), ++ UINT64_C(0x6DAB10EC082210F1), UINT64_C(0xFB1ADD91BFC36490), ++ UINT64_C(0xEDA8B02F9A4F2D14), UINT64_C(0x9060318C56560443) }, ++ { UINT64_C(0x6C01479E64711AB2), UINT64_C(0x41446FC7E337EB85), ++ UINT64_C(0x4DCF3C1D71888397), UINT64_C(0x87A9C04E13C34FD2), ++ UINT64_C(0xFE0E08EC510C15AC), UINT64_C(0xFC0D0413C0F495D2) } }, ++ { { UINT64_C(0xEB05C516156636C2), UINT64_C(0x2F613ABA090E93FC), ++ UINT64_C(0xCFD573CD489576F5), UINT64_C(0xE6535380535A8D57), ++ UINT64_C(0x13947314671436C4), UINT64_C(0x1172FB0C5F0A122D) }, ++ { UINT64_C(0xAECC7EC1C12F58F6), UINT64_C(0xFE42F9578E41AFD2), ++ UINT64_C(0xDF96F6523D4221AA), UINT64_C(0xFEF5649F2851996B), ++ UINT64_C(0x46FB9F26D5CFB67E), UINT64_C(0xB047BFC7EF5C4052) } }, ++ { { UINT64_C(0x5CBDC442F4484374), UINT64_C(0x6B156957F92452EF), ++ UINT64_C(0x58A26886C118D02A), UINT64_C(0x87FF74E675AAF276), ++ UINT64_C(0xB133BE95F65F6EC1), UINT64_C(0xA89B62844B1B8D32) }, ++ { UINT64_C(0xDD8A8EF309C81004), UINT64_C(0x7F8225DB0CF21991), ++ UINT64_C(0xD525A6DB26623FAF), UINT64_C(0xF2368D40BAE15453), ++ UINT64_C(0x55D6A84D84F89FC9), UINT64_C(0xAF38358A86021A3E) } }, ++ { { UINT64_C(0xBD048BDCFF52E280), UINT64_C(0x8A51D0B2526A1795), ++ UINT64_C(0x40AAA758A985AC0F), UINT64_C(0x6039BCDCF2C7ACE9), ++ UINT64_C(0x712092CC6AEC347D), UINT64_C(0x7976D0906B5ACAB7) }, ++ { UINT64_C(0x1EBCF80D6EED9617), UINT64_C(0xB3A63149B0F404A4), ++ UINT64_C(0x3FDD3D1AD0B610EF), UINT64_C(0xDD3F6F9498C28AC7), ++ UINT64_C(0x650B77943A59750F), UINT64_C(0xEC59BAB12D3991AC) } }, ++ { { UINT64_C(0x01F40E882E552766), UINT64_C(0x1FE3D50966F5354F), ++ UINT64_C(0x0E46D006B3A8EA7F), UINT64_C(0xF75AB629F831CD6A), ++ UINT64_C(0xDAD808D791465119), UINT64_C(0x442405AF17EF9B10) }, ++ { UINT64_C(0xD5FE0A96672BDFCB), UINT64_C(0xA9DFA422355DBDEC), ++ UINT64_C(0xFDB79AA179B25636), UINT64_C(0xE7F26FFDEECE8AEC), ++ UINT64_C(0xB59255507EDD5AA2), UINT64_C(0x2C8F6FF08EB3A6C2) } }, ++ { { UINT64_C(0x88887756757D6136), UINT64_C(0xAD9AC18388B92E72), ++ UINT64_C(0x92CB2FC48785D3EB), UINT64_C(0xD1A542FE9319764B), ++ UINT64_C(0xAF4CC78F626A62F8), UINT64_C(0x7F3F5FC926BFFAAE) }, ++ { UINT64_C(0x0A203D4340AE2231), UINT64_C(0xA8BFD9E0387898E8), ++ UINT64_C(0x1A0C379C474B7DDD), UINT64_C(0x03855E0A34FD49EA), ++ UINT64_C(0x02B26223B3EF4AE1), UINT64_C(0x804BD8CFE399E0A3) } }, ++ { { UINT64_C(0x11A9F3D0DE865713), UINT64_C(0x81E36B6BBDE98821), ++ UINT64_C(0x324996C86AA891D0), UINT64_C(0x7B95BDC1395682B5), ++ UINT64_C(0x47BF2219C1600563), UINT64_C(0x7A473F50643E38B4) }, ++ { UINT64_C(0x0911F50AF5738288), UINT64_C(0xDF947A706F9C415B), ++ UINT64_C(0xBDB994F267A067F6), UINT64_C(0x3F4BEC1B88BE96CD), ++ UINT64_C(0x9820E931E56DD6D9), UINT64_C(0xB138F14F0A80F419) } }, ++ { { UINT64_C(0xA11A1A8F0429077A), UINT64_C(0x2BB1E33D10351C68), ++ UINT64_C(0x3C25ABFE89459A27), UINT64_C(0x2D0091B86B8AC774), ++ UINT64_C(0xDAFC78533B2415D9), UINT64_C(0xDE713CF19201680D) }, ++ { UINT64_C(0x8E5F445D68889D57), UINT64_C(0x608B209C60EABF5B), ++ UINT64_C(0x10EC0ACCF9CFA408), UINT64_C(0xD5256B9D4D1EE754), ++ UINT64_C(0xFF866BAB0AA6C18D), UINT64_C(0x9D196DB8ACB90A45) } }, ++ { { UINT64_C(0xA46D76A9B9B081B2), UINT64_C(0xFC743A1062163C25), ++ UINT64_C(0xCD2A5C8D7761C392), UINT64_C(0x39BDDE0BBE808583), ++ UINT64_C(0x7C416021B98E4DFE), UINT64_C(0xF930E56365913A44) }, ++ { UINT64_C(0xC3555F7E7585CF3C), UINT64_C(0xC737E3833D6333D5), ++ UINT64_C(0x5B60DBA4B430B03D), UINT64_C(0x42B715EBE7555404), ++ UINT64_C(0x571BDF5B7C7796E3), UINT64_C(0x33DC62C66DB6331F) } }, ++ { { UINT64_C(0x3FB9CCB0E61DEE59), UINT64_C(0xC5185F2318B14DB9), ++ UINT64_C(0x1B2ADC4F845EF36C), UINT64_C(0x195D5B505C1A33AB), ++ UINT64_C(0x8CEA528E421F59D2), UINT64_C(0x7DFCCECFD2931CEA) }, ++ { UINT64_C(0x51FFA1D58CF7E3F7), UINT64_C(0xF01B7886BDC9FB43), ++ UINT64_C(0xD65AB610261A0D35), UINT64_C(0x84BCBAFD7574A554), ++ UINT64_C(0x4B119956FAD70208), UINT64_C(0xDDC329C24FAB5243) } }, ++ { { UINT64_C(0x1A08AA579CE92177), UINT64_C(0x3395E557DC2B5C36), ++ UINT64_C(0xFDFE7041394ED04E), UINT64_C(0xB797EB24C6DFCDDE), ++ UINT64_C(0x284A6B2ACB9DE5D6), UINT64_C(0xE0BD95C807222765) }, ++ { UINT64_C(0x114A951B9FE678A7), UINT64_C(0xE7ECD0BD9E4954EC), ++ UINT64_C(0x7D4096FE79F0B8A9), UINT64_C(0xBDB26E9A09724FE2), ++ UINT64_C(0x08741AD8F787AF95), UINT64_C(0x2BF9727224045AD8) } }, ++ { { UINT64_C(0xAB1FEDD9A9451D57), UINT64_C(0xDF4D91DF483E38C9), ++ UINT64_C(0x2D54D31124E9CF8E), UINT64_C(0x9C2A5AF87A22EEB6), ++ UINT64_C(0xBD9861EF0A43F123), UINT64_C(0x581EA6A238A18B7B) }, ++ { UINT64_C(0xAF339C85296470A3), UINT64_C(0xF9603FCDAFD8203E), ++ UINT64_C(0x95D0535096763C28), UINT64_C(0x15445C16860EC831), ++ UINT64_C(0x2AFB87286867A323), UINT64_C(0x4B152D6D0C4838BF) } }, ++ { { UINT64_C(0x45BA0E4F837CACBA), UINT64_C(0x7ADB38AEC0725275), ++ UINT64_C(0x19C82831942D3C28), UINT64_C(0x94F4731D6D0FE7DD), ++ UINT64_C(0xC3C07E134898F1E6), UINT64_C(0x76350EACED410B51) }, ++ { UINT64_C(0x0FA8BECAF99AACFC), UINT64_C(0x2834D86F65FAF9CF), ++ UINT64_C(0x8E62846A6F3866AF), UINT64_C(0xDAA9BD4F3DFD6A2B), ++ UINT64_C(0xC27115BBA6132655), UINT64_C(0x83972DF7BD5A32C2) } }, ++ { { UINT64_C(0xA330CB5BD513B825), UINT64_C(0xAE18B2D3EE37BEC3), ++ UINT64_C(0xFC3AB80AF780A902), UINT64_C(0xD7835BE2D607DDF1), ++ UINT64_C(0x8120F7675B6E4C2B), UINT64_C(0xAA8C385967E78CCB) }, ++ { UINT64_C(0xA8DA8CE2AA0ED321), UINT64_C(0xCB8846FDD766341A), ++ UINT64_C(0xF2A342EE33DC9D9A), UINT64_C(0xA519E0BED0A18A80), ++ UINT64_C(0x9CDAA39CAF48DF4C), UINT64_C(0xA4B500CA7E0C19EE) } }, ++ { { UINT64_C(0x83A7FD2F8217001B), UINT64_C(0x4F6FCF064296A8BA), ++ UINT64_C(0x7D74864391619927), UINT64_C(0x174C1075941E4D41), ++ UINT64_C(0x037EDEBDA64F5A6C), UINT64_C(0xCF64DB3A6E29DC56) }, ++ { UINT64_C(0x150B3ACE37C0B9F4), UINT64_C(0x1323234A7168178B), ++ UINT64_C(0x1CE47014EF4D1879), UINT64_C(0xA22E374217FB4D5C), ++ UINT64_C(0x69B81822D985F794), UINT64_C(0x199C21C4081D7214) } }, ++ { { UINT64_C(0x160BC7A18F04B4D2), UINT64_C(0x79CA81DDB10DE174), ++ UINT64_C(0xE2A280B02DA1E9C7), UINT64_C(0xB4F6BD991D6A0A29), ++ UINT64_C(0x57CF3EDD1C5B8F27), UINT64_C(0x7E34FC57158C2FD4) }, ++ { UINT64_C(0x828CFD89CAC93459), UINT64_C(0x9E631B6FB7AF499F), ++ UINT64_C(0xF4DC8BC0DA26C135), UINT64_C(0x6128ED3937186735), ++ UINT64_C(0xBB45538B67BF0BA5), UINT64_C(0x1ADDD4C10064A3AB) } }, ++ }, ++ { ++ { { UINT64_C(0xC32730E8DD14D47E), UINT64_C(0xCDC1FD42C0F01E0F), ++ UINT64_C(0x2BACFDBF3F5CD846), UINT64_C(0x45F364167272D4DD), ++ UINT64_C(0xDD813A795EB75776), UINT64_C(0xB57885E450997BE2) }, ++ { UINT64_C(0xDA054E2BDB8C9829), UINT64_C(0x4161D820AAB5A594), ++ UINT64_C(0x4C428F31026116A3), UINT64_C(0x372AF9A0DCD85E91), ++ UINT64_C(0xFDA6E903673ADC2D), UINT64_C(0x4526B8ACA8DB59E6) } }, ++ { { UINT64_C(0x68FE359DE23A8472), UINT64_C(0x43EB12BD4CE3C101), ++ UINT64_C(0x0EC652C3FC704935), UINT64_C(0x1EEFF1F952E4E22D), ++ UINT64_C(0xBA6777CB083E3ADA), UINT64_C(0xAB52D7DC8BEFC871) }, ++ { UINT64_C(0x4EDE689F497CBD59), UINT64_C(0xC8AE42B927577DD9), ++ UINT64_C(0xE0F080517AB83C27), UINT64_C(0x1F3D5F252C8C1F48), ++ UINT64_C(0x57991607AF241AAC), UINT64_C(0xC4458B0AB8A337E0) } }, ++ { { UINT64_C(0x3DBB3FA651DD1BA9), UINT64_C(0xE53C1C4D545E960B), ++ UINT64_C(0x35AC6574793CE803), UINT64_C(0xB2697DC783DBCE4F), ++ UINT64_C(0xE35C5BF2E13CF6B0), UINT64_C(0x35034280B0C4A164) }, ++ { UINT64_C(0xAA490908D9C0D3C1), UINT64_C(0x2CCE614DCB4D2E90), ++ UINT64_C(0xF646E96C54D504E4), UINT64_C(0xD74E7541B73310A3), ++ UINT64_C(0xEAD7159618BDE5DA), UINT64_C(0x96E7F4A8AA09AEF7) } }, ++ { { UINT64_C(0xA8393A245D6E5F48), UINT64_C(0x2C8D7EA2F9175CE8), ++ UINT64_C(0xD8824E0255A20268), UINT64_C(0x9DD9A272A446BCC6), ++ UINT64_C(0xC929CDED5351499B), UINT64_C(0xEA5AD9ECCFE76535) }, ++ { UINT64_C(0x26F3D7D9DC32D001), UINT64_C(0x51C3BE8343EB9689), ++ UINT64_C(0x91FDCC06759E6DDB), UINT64_C(0xAC2E1904E302B891), ++ UINT64_C(0xAD25C645C207E1F7), UINT64_C(0x28A70F0DAB3DEB4A) } }, ++ { { UINT64_C(0x922D7F9703BEA8F1), UINT64_C(0x3AD820D4584570BE), ++ UINT64_C(0x0CE0A8503CD46B43), UINT64_C(0x4C07911FAE66743D), ++ UINT64_C(0x66519EB9FDA60023), UINT64_C(0x7F83004BEC2ACD9C) }, ++ { UINT64_C(0x001E0B80C3117EAD), UINT64_C(0xBB72D5410722BA25), ++ UINT64_C(0x3AF7DB966E9A5078), UINT64_C(0x86C5774E701B6B4C), ++ UINT64_C(0xBD2C0E8E37824DB5), UINT64_C(0x3AE3028CBFAC286D) } }, ++ { { UINT64_C(0x83D4D4A8A33E071B), UINT64_C(0x881C0A9261444BB5), ++ UINT64_C(0xEEA1E292520E3BC3), UINT64_C(0x5A5F4C3C2AAAB729), ++ UINT64_C(0x0B766C5EE63C7C94), UINT64_C(0x62BB8A9FBB2CC79C) }, ++ { UINT64_C(0x97ADC7D2AA5DC49D), UINT64_C(0x30CC26B331718681), ++ UINT64_C(0xAC86E6FF56E86EDE), UINT64_C(0x37BCA7A2CD52F7F2), ++ UINT64_C(0x734D2C949CE6D87F), UINT64_C(0x06A71D71C2F7E0CA) } }, ++ { { UINT64_C(0x559DCF75C6357D33), UINT64_C(0x4616D940652517DE), ++ UINT64_C(0x3D576B981CCF207B), UINT64_C(0x51E2D1EF1979F631), ++ UINT64_C(0x57517DDD06AE8296), UINT64_C(0x309A3D7FD6E7151F) }, ++ { UINT64_C(0xBA2A23E60E3A6FE5), UINT64_C(0x76CF674AD28B22C3), ++ UINT64_C(0xD235AD07F8B808C3), UINT64_C(0x7BBF4C586B71213A), ++ UINT64_C(0x0676792E93271EBB), UINT64_C(0x2CFD2C7605B1FC31) } }, ++ { { UINT64_C(0x4258E5C037A450F5), UINT64_C(0xC3245F1B52D2B118), ++ UINT64_C(0x6DF7B48482BC5963), UINT64_C(0xE520DA4D9C273D1E), ++ UINT64_C(0xED78E0122C3010E5), UINT64_C(0x112229483C1D4C05) }, ++ { UINT64_C(0xE3DAE5AFC692B490), UINT64_C(0x3272BD10C197F793), ++ UINT64_C(0xF7EAE411E709ACAA), UINT64_C(0x00B0C95F778270A6), ++ UINT64_C(0x4DA76EE1220D4350), UINT64_C(0x521E1461AB71E308) } }, ++ { { UINT64_C(0x7B654323343196A3), UINT64_C(0x35D442ADB0C95250), ++ UINT64_C(0x38AF50E6E264FF17), UINT64_C(0x28397A412030D2EA), ++ UINT64_C(0x8F1D84E9F74EEDA1), UINT64_C(0xD521F92DE6FB3C52) }, ++ { UINT64_C(0xAF358D7795733811), UINT64_C(0xEBFDDD0193ABFE94), ++ UINT64_C(0x05D8A028D18D99DE), UINT64_C(0x5A664019B5D5BDD9), ++ UINT64_C(0x3DF172822AA12FE8), UINT64_C(0xB42E006FB889A28E) } }, ++ { { UINT64_C(0xCF10E97DBC35CB1A), UINT64_C(0xC70A7BBD994DEDC5), ++ UINT64_C(0x76A5327C37D04FB9), UINT64_C(0x87539F76A76E0CDA), ++ UINT64_C(0xE9FE493FCD60A6B1), UINT64_C(0xA4574796132F01C0) }, ++ { UINT64_C(0xC43B85EBDB70B167), UINT64_C(0x81D5039A98551DFA), ++ UINT64_C(0x6B56FBE91D979FA4), UINT64_C(0x49714FD78615098F), ++ UINT64_C(0xB10E1CEA94DECAB5), UINT64_C(0x8342EBA3480EF6E3) } }, ++ { { UINT64_C(0xE1E030B0B3677288), UINT64_C(0x2978174C8D5CE3AF), ++ UINT64_C(0xAFC0271CF7B2DE98), UINT64_C(0x745BC6F3B99C20B5), ++ UINT64_C(0x9F6EDCED1E3BB4E5), UINT64_C(0x58D3EE4E73C8C1FC) }, ++ { UINT64_C(0x1F3535F47FD30124), UINT64_C(0xF366AC705FA62502), ++ UINT64_C(0x4C4C1FDD965363FE), UINT64_C(0x8B2C77771DE2CA2B), ++ UINT64_C(0x0CB54743882F1173), UINT64_C(0x94B6B8C071343331) } }, ++ { { UINT64_C(0x75AF014165B8B35B), UINT64_C(0x6D7B84854670A1F5), ++ UINT64_C(0x6EAA3A47A3B6D376), UINT64_C(0xD7E673D2CB3E5B66), ++ UINT64_C(0xC0338E6C9589AB38), UINT64_C(0x4BE26CB309440FAA) }, ++ { UINT64_C(0x82CB05E7394F9AA3), UINT64_C(0xC45C8A8A7F7792EA), ++ UINT64_C(0x37E5E33BB687DC70), UINT64_C(0x63853219DFE48E49), ++ UINT64_C(0x087951C16D0E5C8C), UINT64_C(0x7696A8C72BC27310) } }, ++ { { UINT64_C(0xA05736D5B67E834A), UINT64_C(0xDD2AA0F29098D42A), ++ UINT64_C(0x09F0C1D849C69DDC), UINT64_C(0x81F8BC1C8FF0F0F3), ++ UINT64_C(0x36FD3A4F03037775), UINT64_C(0x8286717D4B06DF5C) }, ++ { UINT64_C(0xB878F496A9079EA2), UINT64_C(0xA5642426D7DC796D), ++ UINT64_C(0x29B9351A67FDAC2B), UINT64_C(0x93774C0E1D543CDE), ++ UINT64_C(0x4F8793BA1A8E31C4), UINT64_C(0x7C9F3F3A6C94798A) } }, ++ { { UINT64_C(0x23C5AD11CB8ECDB8), UINT64_C(0x1E88D25E485A6A02), ++ UINT64_C(0xB27CBE84F1E268AE), UINT64_C(0xDDA80238F4CD0475), ++ UINT64_C(0x4F88857B49F8EB1B), UINT64_C(0x91B1221F52FB07F9) }, ++ { UINT64_C(0x7CE974608637FA67), UINT64_C(0x528B3CF4632198D8), ++ UINT64_C(0x33365AB3F6623769), UINT64_C(0x6FEBCFFF3A83A30F), ++ UINT64_C(0x398F4C999BD341EB), UINT64_C(0x180712BBB33A333C) } }, ++ { { UINT64_C(0x2B8655A2D93429E7), UINT64_C(0x99D600BB75C8B9EE), ++ UINT64_C(0x9FC1AF8B88FCA6CD), UINT64_C(0x2FB533867C311F80), ++ UINT64_C(0x20743ECBE8A71EEE), UINT64_C(0xEC3713C4E848B49E) }, ++ { UINT64_C(0x5B2037B5BB886817), UINT64_C(0x40EF5AC2307DBAF4), ++ UINT64_C(0xC2888AF21B3F643D), UINT64_C(0x0D8252E19D5A4190), ++ UINT64_C(0x06CC0BEC2DB52A8A), UINT64_C(0xB84B98EAAB94E969) } }, ++ { { UINT64_C(0x2E7AC078A0321E0E), UINT64_C(0x5C5A1168EF3DAAB6), ++ UINT64_C(0xD2D573CBADDD454A), UINT64_C(0x27E149E236259CC7), ++ UINT64_C(0x1EDFD469A63F47F1), UINT64_C(0x039AD674F1BD2CFD) }, ++ { UINT64_C(0xBFA633FC3077D3CC), UINT64_C(0x14A7C82F2FD64E9F), ++ UINT64_C(0xAAA650149D824999), UINT64_C(0x41AB113B21760F2E), ++ UINT64_C(0x23E646C51CAE260A), UINT64_C(0x08062C8F68DC5159) } }, ++ }, ++ { ++ { { UINT64_C(0x2E7D0A16204BE028), UINT64_C(0x4F1D082ED0E41851), ++ UINT64_C(0x15F1DDC63EB317F9), UINT64_C(0xF02750715ADF71D7), ++ UINT64_C(0x2CE33C2EEE858BC3), UINT64_C(0xA24C76D1DA73B71A) }, ++ { UINT64_C(0x9EF6A70A6C70C483), UINT64_C(0xEFCF170505CF9612), ++ UINT64_C(0x9F5BF5A67502DE64), UINT64_C(0xD11122A1A4701973), ++ UINT64_C(0x82CFAAC2A2EA7B24), UINT64_C(0x6CAD67CC0A4582E1) } }, ++ { { UINT64_C(0x597A26FFB4DC8600), UINT64_C(0x264A09F3F9288555), ++ UINT64_C(0x0B06AFF65C27F5F6), UINT64_C(0xCE5AB665D8D544E6), ++ UINT64_C(0x92F031BE99275C32), UINT64_C(0xAF51C5BBF42E0E7C) }, ++ { UINT64_C(0x5BB28B061E37B36D), UINT64_C(0x583FBA6A8473543A), ++ UINT64_C(0xE73FD299F93FB7DC), UINT64_C(0xFCD999A86E2CCAD9), ++ UINT64_C(0xB8C8A6DF334D4F57), UINT64_C(0x5ADB28DD9A2ACC9B) } }, ++ { { UINT64_C(0x5ADF3D9A111792B9), UINT64_C(0x1C77A3054F1E0D09), ++ UINT64_C(0xF9FBCE33A82D3736), UINT64_C(0xF307823E718C8AA3), ++ UINT64_C(0x860578CF416CCF69), UINT64_C(0xB942ADD81EF8465B) }, ++ { UINT64_C(0x9EE0CF97CD9472E1), UINT64_C(0xE6792EEFB01528A8), ++ UINT64_C(0xF99B9A8DC09DA90B), UINT64_C(0x1F521C2DCBF3CCB8), ++ UINT64_C(0x6BF6694891A62632), UINT64_C(0xCC7A9CEB854FE9DA) } }, ++ { { UINT64_C(0x46303171491CCB92), UINT64_C(0xA80A8C0D2771235B), ++ UINT64_C(0xD8E497FFF172C7CF), UINT64_C(0x7F7009D735B193CF), ++ UINT64_C(0x6B9FD3F7F19DF4BC), UINT64_C(0xADA548C3B46F1E37) }, ++ { UINT64_C(0x87C6EAA9C7A20270), UINT64_C(0xEF2245D6AE78EF99), ++ UINT64_C(0x2A121042539EAB95), UINT64_C(0x29A6D5D779B8F5CC), ++ UINT64_C(0x33803A10B77840DC), UINT64_C(0xFEDD3A7011A6A30F) } }, ++ { { UINT64_C(0xFA070E22142403D1), UINT64_C(0x68FF316015C6F7F5), ++ UINT64_C(0xE09F04E6223A0CE8), UINT64_C(0x22BBD01853E14183), ++ UINT64_C(0x35D9FAFCCF45B75B), UINT64_C(0x3A34819D7ECEEC88) }, ++ { UINT64_C(0xD9CF7568D33262D2), UINT64_C(0x431036D5841D1505), ++ UINT64_C(0x0C8005659EB2A79A), UINT64_C(0x8E77D9F05F7EDC6A), ++ UINT64_C(0x19E12D0565E800AA), UINT64_C(0x335C8D36B7784E7C) } }, ++ { { UINT64_C(0x8B2FC4E96484FD40), UINT64_C(0xEE702764A35D24EA), ++ UINT64_C(0x15B28AC7B871C3F3), UINT64_C(0x805B4048E097047F), ++ UINT64_C(0xD6F1B8DF647CAD2F), UINT64_C(0xF1D5B458DC7DD67F) }, ++ { UINT64_C(0x324C529C25148803), UINT64_C(0xF6185EBE21274FAF), ++ UINT64_C(0xAF14751E95148B55), UINT64_C(0x283ED89D28F284F4), ++ UINT64_C(0x93AD20E74CBEBF1A), UINT64_C(0x5F6EC65D882935E1) } }, ++ { { UINT64_C(0xE222EBA4A4DCEFE9), UINT64_C(0x63AD235FEC1CEB74), ++ UINT64_C(0x2E0BF749E05B18E7), UINT64_C(0x547BD050B48BDD87), ++ UINT64_C(0x0490C970F5AA2FC4), UINT64_C(0xCED5E4CF2B431390) }, ++ { UINT64_C(0x07D8270451D2898E), UINT64_C(0x44B72442083B57D4), ++ UINT64_C(0xA4ADA2305037FCE8), UINT64_C(0x55F7905E50510DA6), ++ UINT64_C(0xD8EE724F8D890A98), UINT64_C(0x925A8E7C11B85640) } }, ++ { { UINT64_C(0x5BFA10CD1CA459ED), UINT64_C(0x593F085A6DCF56BF), ++ UINT64_C(0xE6F0AD9BC0579C3E), UINT64_C(0xC11C95A22527C1AD), ++ UINT64_C(0x7CFA71E1CF1CB8B3), UINT64_C(0xEDCFF8331D6DC79D) }, ++ { UINT64_C(0x581C4BBE432521C9), UINT64_C(0xBF620096144E11A0), ++ UINT64_C(0x54C38B71BE3A107B), UINT64_C(0xED555E37E2606EC0), ++ UINT64_C(0x3FB148B8D721D034), UINT64_C(0x79D53DAD0091BC90) } }, ++ { { UINT64_C(0xE32068C5B7082C80), UINT64_C(0x4140FFD27A144E22), ++ UINT64_C(0x5811D2F09EDD9E86), UINT64_C(0xCDD79B5FC572C465), ++ UINT64_C(0x3563FED1C97BF450), UINT64_C(0x985C1444F2CE5C9C) }, ++ { UINT64_C(0x260AE79799950F1C), UINT64_C(0x659F4F40765E9DED), ++ UINT64_C(0x2A412D662E3BC286), UINT64_C(0xE865E62CF87E0C82), ++ UINT64_C(0xD63D3A9A6C05E7D7), UINT64_C(0x96725D678686F89A) } }, ++ { { UINT64_C(0xC99A5E4CAB7EA0F5), UINT64_C(0xC9860A1AC5393FA9), ++ UINT64_C(0x9ED83CEE8FDEEFC0), UINT64_C(0xE3EA8B4C5ED6869A), ++ UINT64_C(0x89A85463D2EED3A9), UINT64_C(0x2CD91B6DE421A622) }, ++ { UINT64_C(0x6FEC1EF32C91C41D), UINT64_C(0xB1540D1F8171037D), ++ UINT64_C(0x4FE4991A1C010E5B), UINT64_C(0x28A3469FFC1C7368), ++ UINT64_C(0xE1EEECD1AF118781), UINT64_C(0x1BCCB97799EF3531) } }, ++ { { UINT64_C(0x63D3B638C4DAB7B8), UINT64_C(0xD92133B63F7F5BAB), ++ UINT64_C(0x2573EE2009FB6069), UINT64_C(0x771FABDF890A1686), ++ UINT64_C(0x1D0BA21FA77AFFF5), UINT64_C(0x83145FCCBA3DD2C0) }, ++ { UINT64_C(0xFA073A812D115C20), UINT64_C(0x6AB7A9D319176F27), ++ UINT64_C(0xAF62CF939AC639EE), UINT64_C(0xF73848B92CCD1319), ++ UINT64_C(0x3B6132343C71659D), UINT64_C(0xF8E0011C10AB3826) } }, ++ { { UINT64_C(0x0501F0360282FFA5), UINT64_C(0xC39A5CF4D9E0F15A), ++ UINT64_C(0x48D8C7299A3D1F3C), UINT64_C(0xB5FC136B64E18EDA), ++ UINT64_C(0xE81B53D97E58FEF0), UINT64_C(0x0D534055F7B0F28D) }, ++ { UINT64_C(0x47B8DE127A80619B), UINT64_C(0x60E2A2B381F9E55D), ++ UINT64_C(0x6E9624D7CF564CC5), UINT64_C(0xFDF18A216BDEDFFF), ++ UINT64_C(0x3787DE38C0D5FC82), UINT64_C(0xCBCAA347497A6B11) } }, ++ { { UINT64_C(0x6E7EF35EB226465A), UINT64_C(0x4B4699195F8A2BAF), ++ UINT64_C(0x44B3A3CF1120D93F), UINT64_C(0xB052C8B668F34AD1), ++ UINT64_C(0x27EC574BEF7632DD), UINT64_C(0xAEBEA108685DE26F) }, ++ { UINT64_C(0xDA33236BE39424B6), UINT64_C(0xB1BD94A9EBCC22AD), ++ UINT64_C(0x6DDEE6CC2CDFB5D5), UINT64_C(0xBDAED9276F14069A), ++ UINT64_C(0x2ADE427C2A247CB7), UINT64_C(0xCE96B436ED156A40) } }, ++ { { UINT64_C(0xDDDCA36081F3F819), UINT64_C(0x4AF4A49FD419B96A), ++ UINT64_C(0x746C65257CB966B9), UINT64_C(0x01E390886F610023), ++ UINT64_C(0x05ECB38D98DD33FC), UINT64_C(0x962B971B8F84EDF4) }, ++ { UINT64_C(0xEB32C0A56A6F2602), UINT64_C(0xF026AF71562D60F2), ++ UINT64_C(0xA9E246BF84615FAB), UINT64_C(0xAD96709275DBAE01), ++ UINT64_C(0xBF97C79B3ECE5D07), UINT64_C(0xE06266C774EAA3D3) } }, ++ { { UINT64_C(0x161A01572E6DBB6E), UINT64_C(0xB8AF490460FA8F47), ++ UINT64_C(0xE4336C4400197F22), UINT64_C(0xF811AFFA9CEDCE0E), ++ UINT64_C(0xB1DD7685F94C2EF1), UINT64_C(0xEEDC0F4BCA957BB0) }, ++ { UINT64_C(0xD319FD574AA76BB1), UINT64_C(0xB3525D7C16CD7CCB), ++ UINT64_C(0x7B22DA9CA97DD072), UINT64_C(0x99DB84BD38A83E71), ++ UINT64_C(0x4939BC8DC0EDD8BE), UINT64_C(0x06D524EA903A932C) } }, ++ { { UINT64_C(0x4BC950EC0E31F639), UINT64_C(0xB7ABD3DC6016BE30), ++ UINT64_C(0x3B0F44736703DAD0), UINT64_C(0xCC405F8B0AC1C4EA), ++ UINT64_C(0x9BED5E57176C3FEE), UINT64_C(0xF452481036AE36C2) }, ++ { UINT64_C(0xC1EDBB8315D7B503), UINT64_C(0x943B1156E30F3657), ++ UINT64_C(0x984E9EEF98377805), UINT64_C(0x291AE7AC36CF1DEB), ++ UINT64_C(0xFED8748CA9F66DF3), UINT64_C(0xECA758BBFEA8FA5D) } }, ++ }, ++ { ++ { { UINT64_C(0xACC787EF2DD1B249), UINT64_C(0x736E1030D82976F1), ++ UINT64_C(0x0A6940FAA01B3649), UINT64_C(0xE00B926BC42341E7), ++ UINT64_C(0x911508D0DE8FFD6C), UINT64_C(0x4DCF8D465276B0CB) }, ++ { UINT64_C(0x23AD0A90CC3CAD8D), UINT64_C(0x2A92E54CADED962A), ++ UINT64_C(0x93FBEC4DF231BFAF), UINT64_C(0x9544BC774798987A), ++ UINT64_C(0x48084E2508E29F60), UINT64_C(0x0C0D2F4332DE5869) } }, ++ { { UINT64_C(0x6778F9703A9ABC13), UINT64_C(0xFD014FAC3D2B166B), ++ UINT64_C(0x1FE4FC783C6FED60), UINT64_C(0x04295FA8AA7C69C5), ++ UINT64_C(0xA01DE56D7C123175), UINT64_C(0x0FA0D3A83D9A713A) }, ++ { UINT64_C(0xA7A6E5E3E3E08ADD), UINT64_C(0xBD77E94B1AC58F85), ++ UINT64_C(0x078F6FD2B7321A9C), UINT64_C(0x9564601E911EF6D9), ++ UINT64_C(0x31C5C1B2415C6BEF), UINT64_C(0xE6C0C91ED3212C62) } }, ++ { { UINT64_C(0xBA7BD23C0D16022F), UINT64_C(0xE9CF4750198BE288), ++ UINT64_C(0x304E316947DEEC65), UINT64_C(0xCF65B41F96EEB288), ++ UINT64_C(0x17E99C17927E9E3B), UINT64_C(0x82225546F6630A80) }, ++ { UINT64_C(0x15122B8ACA067BD9), UINT64_C(0xE2673205B77B4E98), ++ UINT64_C(0x130375659407CA63), UINT64_C(0x53624F548B621602), ++ UINT64_C(0x96AF2CB1EAE4BD06), UINT64_C(0x576ECD1C8FA20829) } }, ++ { { UINT64_C(0xA551CE107E02D2D0), UINT64_C(0x1584ED249D13DBC7), ++ UINT64_C(0x082017AD4DA7B6D8), UINT64_C(0x81918A8FE054BC48), ++ UINT64_C(0x677DB48E572DC384), UINT64_C(0x2EF822966155484C) }, ++ { UINT64_C(0xC3DB14C641B9C231), UINT64_C(0x910A87D14A766192), ++ UINT64_C(0x93D5CC8610AB8E0F), UINT64_C(0x4194D548AE57CA1B), ++ UINT64_C(0xFAF3A1D6267FC37A), UINT64_C(0x70EC236413B87C97) } }, ++ { { UINT64_C(0x064B565B5E12756A), UINT64_C(0x953B7BD1AE49C98E), ++ UINT64_C(0xE0CE8284F7001D91), UINT64_C(0x1546060BF31108D0), ++ UINT64_C(0xDBC2C3F46779B6E2), UINT64_C(0x157AA47DE0DD07CF) }, ++ { UINT64_C(0xBF4A1C6FF23B261E), UINT64_C(0x5B8EED30654F4BE5), ++ UINT64_C(0xDF5896D36B20CCD8), UINT64_C(0x56920E2C559ED23D), ++ UINT64_C(0x901F342EFA6E3E27), UINT64_C(0x745C747C896CA082) } }, ++ { { UINT64_C(0xDBCCD5752944EC84), UINT64_C(0x54A2A935A5FF65FE), ++ UINT64_C(0x88C92A5E1A1319B6), UINT64_C(0x9537C28F82DA96C1), ++ UINT64_C(0xB683647435F93C46), UINT64_C(0xEC526A1D65B0846C) }, ++ { UINT64_C(0x6F12AFBDF382C412), UINT64_C(0x5EBC81D89E99FA06), ++ UINT64_C(0x97B5D672869B93BD), UINT64_C(0x2983C310377E12AA), ++ UINT64_C(0x4875968124D681EA), UINT64_C(0x1E0BD106287FD767) } }, ++ { { UINT64_C(0x0AC75A3E7231247F), UINT64_C(0x65C20DE6EF27AD3A), ++ UINT64_C(0x87EB6CF1BD02EEE5), UINT64_C(0x264ACA7A00147E03), ++ UINT64_C(0xEBC78581AE2A9437), UINT64_C(0x9929964E6316BFA5) }, ++ { UINT64_C(0xDC09E0409AF207EF), UINT64_C(0x3ECFFE2D0C9D8658), ++ UINT64_C(0x547EA735DFB43D38), UINT64_C(0x5485247BD04B1B20), ++ UINT64_C(0xB18D3F02BFD8B609), UINT64_C(0xEEB3E805CCE73705) } }, ++ { { UINT64_C(0xDAB1A525DB93850F), UINT64_C(0x18ADAA238365B7D5), ++ UINT64_C(0x58485C90113FC8C7), UINT64_C(0x80C3DBB9348AD323), ++ UINT64_C(0xAF892FB5E16ADCA1), UINT64_C(0x2183C879979F005A) }, ++ { UINT64_C(0x20FA1A940643A99E), UINT64_C(0x2741221C1A1609CB), ++ UINT64_C(0x1C1687E53C2FBDDC), UINT64_C(0xDCCF329ED420D6CF), ++ UINT64_C(0x75D5577D2B7197D1), UINT64_C(0x4C3C3875C8729D9C) } }, ++ { { UINT64_C(0x5E79F995E5CBDCB9), UINT64_C(0x03139824A742FCC7), ++ UINT64_C(0x6D0C214A239EF4A1), UINT64_C(0x53A27952401A2944), ++ UINT64_C(0xF42A1B34C10BCDF0), UINT64_C(0x426BAA437CF38061) }, ++ { UINT64_C(0x16A53139A96AD0C8), UINT64_C(0x627F1D316BAD5301), ++ UINT64_C(0x5AF748774ACCD627), UINT64_C(0x3C58A1C5B55B0FB8), ++ UINT64_C(0xFAA57B91F4399A6A), UINT64_C(0xBAD283FBC28094B8) } }, ++ { { UINT64_C(0xBA32AC6183E10A93), UINT64_C(0x1C91F6B4EC06BDB0), ++ UINT64_C(0x42E6CFBC65F60C93), UINT64_C(0xEFE33BC82C0CDCBE), ++ UINT64_C(0xE0FE1D094D6414F2), UINT64_C(0x4C11231676FA5C5B) }, ++ { UINT64_C(0x812C1DC62E26200A), UINT64_C(0xD6C413C5EE879D25), ++ UINT64_C(0xBEADE255BCA8BAFE), UINT64_C(0x0EAF4AE2CE2BA0E7), ++ UINT64_C(0x66E9FFB0C4F4408A), UINT64_C(0xB36A86D79782C7AD) } }, ++ { { UINT64_C(0x10FCD1F4BAD8D1C7), UINT64_C(0xC903816A4502F645), ++ UINT64_C(0x7FAC1CC1A503B895), UINT64_C(0x8BCD60410778900C), ++ UINT64_C(0x5A5F22025BCF2784), UINT64_C(0x9B157E8710EDB896) }, ++ { UINT64_C(0x4C58DA69F602A8B1), UINT64_C(0xD55132F859EC9D7E), ++ UINT64_C(0x155B719AA26D4870), UINT64_C(0x25AAFCA336441746), ++ UINT64_C(0x01F83338DD3B6B30), UINT64_C(0xD52BB5C1551917CC) } }, ++ { { UINT64_C(0xA0B6207B6135066A), UINT64_C(0xB3409F842AEC8CBD), ++ UINT64_C(0x5EBFD43619D87DF0), UINT64_C(0xCB4C209BE8526DE2), ++ UINT64_C(0xD764085B21E1A230), UINT64_C(0x96F915540899964A) }, ++ { UINT64_C(0xB0BEC8EFA57D122A), UINT64_C(0xC572EC565D9D0B33), ++ UINT64_C(0xEBE2A780CFA7C72C), UINT64_C(0x52D40CDB9EF3295C), ++ UINT64_C(0x640045840DE74DFE), UINT64_C(0xA6846432C0809716) } }, ++ { { UINT64_C(0x0D09E8CD02C979BC), UINT64_C(0xEC4B21F6409F4F2A), ++ UINT64_C(0x68125C7013FB07CA), UINT64_C(0x1C4CFC176FDFA72A), ++ UINT64_C(0xC9E71B9E04539FCD), UINT64_C(0x94B7103D8BA70797) }, ++ { UINT64_C(0x6B81E82FB33FDE83), UINT64_C(0x7CA9A8CAEABAFD4B), ++ UINT64_C(0xADD85A67EAB819CE), UINT64_C(0xAEC2548398E99FFC), ++ UINT64_C(0x938D6440274A07B6), UINT64_C(0x0A5C7097564A6AA0) } }, ++ { { UINT64_C(0x7284FF502F4FCEB6), UINT64_C(0x0A28715A78D0D5CB), ++ UINT64_C(0xE70B7014BFCE187C), UINT64_C(0xA6B538F57A17148D), ++ UINT64_C(0x1DAB07C9DD427166), UINT64_C(0x5C5578B0149D23CA) }, ++ { UINT64_C(0x875E2056875B5EDE), UINT64_C(0xCBF44B6D02C893B9), ++ UINT64_C(0x5715A77E5C2993FB), UINT64_C(0xAF3281463410597E), ++ UINT64_C(0x65DF418F42DC49DF), UINT64_C(0x7AC9C720A9EE52F6) } }, ++ { { UINT64_C(0xB1C9AA0762955486), UINT64_C(0xCBF35BE3245061D7), ++ UINT64_C(0x811E1BD38CF4DDC0), UINT64_C(0xD9D4589C948F7C84), ++ UINT64_C(0x30D09A0FCB0F996D), UINT64_C(0x1A1B3B7A590E7704) }, ++ { UINT64_C(0xA848E3492082768D), UINT64_C(0x9FEBD4929A249DF4), ++ UINT64_C(0x503420AF5F20439A), UINT64_C(0x0CBE52B68E2BFCD4), ++ UINT64_C(0xB1D5E261118C91B2), UINT64_C(0x93CFF6DA71D8F2BC) } }, ++ { { UINT64_C(0x5F5BC06B8AB58944), UINT64_C(0xE4BED5384979882D), ++ UINT64_C(0x57C30362D79B0EB1), UINT64_C(0x391AE2C1EF7C56D8), ++ UINT64_C(0x28BC2E97ADD98625), UINT64_C(0xFA8E86B81B257107) }, ++ { UINT64_C(0x5E4859F86118C715), UINT64_C(0x91C83324524C71DD), ++ UINT64_C(0xFB2092436D2F5E6D), UINT64_C(0x6B4FE21F2A900A43), ++ UINT64_C(0x241F75D632A73C1F), UINT64_C(0xF5BC46295AE89613) } }, ++ } ++}; ++ ++/*- ++ * Q := 2P, both projective, Q and P same pointers OK ++ * Autogenerated: op3/dbl_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 6 ++ * ASSERT: a = -3 ++ */ ++static void ++point_double(pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X = P->X; ++ const limb_t *Y = P->Y; ++ const limb_t *Z = P->Z; ++ limb_t *X3 = Q->X; ++ limb_t *Y3 = Q->Y; ++ limb_t *Z3 = Q->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_square(t0, X); ++ fiat_secp384r1_square(t1, Y); ++ fiat_secp384r1_square(t2, Z); ++ fiat_secp384r1_mul(t3, X, Y); ++ fiat_secp384r1_add(t3, t3, t3); ++ fiat_secp384r1_mul(t4, Y, Z); ++ fiat_secp384r1_mul(Z3, X, Z); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_mul(Y3, b, t2); ++ fiat_secp384r1_sub(Y3, Y3, Z3); ++ fiat_secp384r1_add(X3, Y3, Y3); ++ fiat_secp384r1_add(Y3, X3, Y3); ++ fiat_secp384r1_sub(X3, t1, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_mul(Y3, X3, Y3); ++ fiat_secp384r1_mul(X3, X3, t3); ++ fiat_secp384r1_add(t3, t2, t2); ++ fiat_secp384r1_add(t2, t2, t3); ++ fiat_secp384r1_mul(Z3, b, Z3); ++ fiat_secp384r1_sub(Z3, Z3, t2); ++ fiat_secp384r1_sub(Z3, Z3, t0); ++ fiat_secp384r1_add(t3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, t3); ++ fiat_secp384r1_add(t3, t0, t0); ++ fiat_secp384r1_add(t0, t3, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t0, t0, Z3); ++ fiat_secp384r1_add(Y3, Y3, t0); ++ fiat_secp384r1_add(t0, t4, t4); ++ fiat_secp384r1_mul(Z3, t0, Z3); ++ fiat_secp384r1_sub(X3, X3, Z3); ++ fiat_secp384r1_mul(Z3, t0, t1); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++} ++ ++/*- ++ * R := Q + P where R and Q are projective, P affine. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_mixed.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 5 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ fe_t X3; ++ fe_t Y3; ++ fe_t Z3; ++ limb_t nz; ++ ++ /* check P for affine inf */ ++ fiat_secp384r1_nonzero(&nz, P->Y); ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_add(t3, X2, Y2); ++ fiat_secp384r1_add(t4, X1, Y1); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_mul(t4, Y2, Z1); ++ fiat_secp384r1_add(t4, t4, Y1); ++ fiat_secp384r1_mul(Y3, X2, Z1); ++ fiat_secp384r1_add(Y3, Y3, X1); ++ fiat_secp384r1_mul(Z3, b, Z1); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, Z1, Z1); ++ fiat_secp384r1_add(t2, t1, Z1); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++ ++ /* if P is inf, throw all that away and take Q */ ++ fiat_secp384r1_selectznz(R->X, nz, Q->X, X3); ++ fiat_secp384r1_selectznz(R->Y, nz, Q->Y, Y3); ++ fiat_secp384r1_selectznz(R->Z, nz, Q->Z, Z3); ++} ++ ++/*- ++ * R := Q + P all projective. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 4 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4, t5; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ const limb_t *Z2 = P->Z; ++ limb_t *X3 = R->X; ++ limb_t *Y3 = R->Y; ++ limb_t *Z3 = R->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_mul(t2, Z1, Z2); ++ fiat_secp384r1_add(t3, X1, Y1); ++ fiat_secp384r1_add(t4, X2, Y2); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_add(t4, Y1, Z1); ++ fiat_secp384r1_add(t5, Y2, Z2); ++ fiat_secp384r1_mul(t4, t4, t5); ++ fiat_secp384r1_add(t5, t1, t2); ++ fiat_secp384r1_sub(t4, t4, t5); ++ fiat_secp384r1_add(X3, X1, Z1); ++ fiat_secp384r1_add(Y3, X2, Z2); ++ fiat_secp384r1_mul(X3, X3, Y3); ++ fiat_secp384r1_add(Y3, t0, t2); ++ fiat_secp384r1_sub(Y3, X3, Y3); ++ fiat_secp384r1_mul(Z3, b, t2); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, t2, t2); ++ fiat_secp384r1_add(t2, t1, t2); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++} ++ ++/* constants */ ++#define RADIX 5 ++#define DRADIX (1 << RADIX) ++#define DRADIX_WNAF ((DRADIX) << 1) ++ ++/*- ++ * precomp for wnaf scalar multiplication: ++ * precomp[0] = 1P ++ * precomp[1] = 3P ++ * precomp[2] = 5P ++ * precomp[3] = 7P ++ * precomp[4] = 9P ++ * ... ++ */ ++static void ++precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) ++{ ++ int i; ++ ++ fe_copy(precomp[0].X, P->X); ++ fe_copy(precomp[0].Y, P->Y); ++ fe_copy(precomp[0].Z, const_one); ++ point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); ++ ++ for (i = 1; i < DRADIX / 2; i++) ++ point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); ++} ++ ++/* fetch a scalar bit */ ++static int ++scalar_get_bit(const unsigned char in[48], int idx) ++{ ++ int widx, rshift; ++ ++ widx = idx >> 3; ++ rshift = idx & 0x7; ++ ++ if (idx < 0 || widx >= 48) ++ return 0; ++ ++ return (in[widx] >> rshift) & 0x1; ++} ++ ++/*- ++ * Compute "regular" wnaf representation of a scalar. ++ * See "Exponent Recoding and Regular Exponentiation Algorithms", ++ * Tunstall et al., AfricaCrypt 2009, Alg 6. ++ * It forces an odd scalar and outputs digits in ++ * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} ++ * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". ++ */ ++static void ++scalar_rwnaf(int8_t out[77], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = (in[0] & (DRADIX_WNAF - 1)) | 1; ++ for (i = 0; i < 76; i++) { ++ d = (window & (DRADIX_WNAF - 1)) - DRADIX; ++ out[i] = d; ++ window = (window - d) >> RADIX; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; ++ } ++ out[i] = window; ++} ++ ++/*- ++ * Compute "textbook" wnaf representation of a scalar. ++ * NB: not constant time ++ */ ++static void ++scalar_wnaf(int8_t out[385], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = in[0] & (DRADIX_WNAF - 1); ++ for (i = 0; i < 385; i++) { ++ d = 0; ++ if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) ++ d -= DRADIX_WNAF; ++ out[i] = d; ++ window = (window - d) >> 1; ++ window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; ++ } ++} ++ ++/*- ++ * Simulateous scalar multiplication: interleaved "textbook" wnaf. ++ * NB: not constant time ++ */ ++static void ++var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[48], ++ const unsigned char b[48], const pt_aff_t *P) ++{ ++ int i, d, is_neg, is_inf = 1, flipped = 0; ++ int8_t anaf[385] = { 0 }; ++ int8_t bnaf[385] = { 0 }; ++ pt_prj_t Q; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_wnaf(anaf, a); ++ scalar_wnaf(bnaf, b); ++ ++ for (i = 384; i >= 0; i--) { ++ if (!is_inf) ++ point_double(&Q, &Q); ++ if ((d = bnaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &precomp[d].X); ++ fe_copy(Q.Y, &precomp[d].Y); ++ fe_copy(Q.Z, &precomp[d].Z); ++ is_inf = 0; ++ } else ++ point_add_proj(&Q, &Q, &precomp[d]); ++ } ++ if ((d = anaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &lut_cmb[0][d].X); ++ fe_copy(Q.Y, &lut_cmb[0][d].Y); ++ fe_copy(Q.Z, const_one); ++ is_inf = 0; ++ } else ++ point_add_mixed(&Q, &Q, &lut_cmb[0][d]); ++ } ++ } ++ ++ if (is_inf) { ++ /* initialize accumulator to inf: all-zero scalars */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ } ++ ++ if (flipped) { ++ /* correct sign */ ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ } ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Variable point scalar multiplication with "regular" wnaf. ++ */ ++static void ++var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[48], ++ const pt_aff_t *P) ++{ ++ int i, j, d, diff, is_neg; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, lut; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_rwnaf(rnaf, scalar); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ /* initialize accumulator to high digit */ ++ d = (rnaf[76] - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(Q.X, diff, Q.X, precomp[j].X); ++ fiat_secp384r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); ++ } ++ ++ for (i = 75; i >= 0; i--) { ++ for (j = 0; j < RADIX; j++) ++ point_double(&Q, &Q); ++ d = rnaf[i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, precomp[j].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_proj(&Q, &Q, &lut); ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, precomp[0].X); ++ fiat_secp384r1_opp(lut.Y, precomp[0].Y); ++ fe_copy(lut.Z, precomp[0].Z); ++ point_add_proj(&lut, &lut, &Q); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Fixed scalar multiplication: comb with interleaving. ++ */ ++static void ++fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[48]) ++{ ++ int i, j, k, d, diff, is_neg = 0; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, R; ++ pt_aff_t lut; ++ ++ scalar_rwnaf(rnaf, scalar); ++ ++ /* initalize accumulator to inf */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ for (i = 3; i >= 0; i--) { ++ for (j = 0; i != 3 && j < RADIX; j++) ++ point_double(&Q, &Q); ++ for (j = 0; j < 21; j++) { ++ if (j * 4 + i > 76) ++ continue; ++ d = rnaf[j * 4 + i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (k = 0; k < DRADIX / 2; k++) { ++ diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_mixed(&Q, &Q, &lut); ++ } ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, lut_cmb[0][0].X); ++ fiat_secp384r1_opp(lut.Y, lut_cmb[0][0].Y); ++ point_add_mixed(&R, &Q, &lut); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++static void ++point_mul_two(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char a[48], const unsigned char b[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* simultaneous scalar multiplication */ ++ var_smul_wnaf_two(&P, a, b, &P); ++ ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul_g(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48]) ++{ ++ pt_aff_t P; ++ ++ /* fixed scmul function */ ++ fixed_smul_cmb(&P, scalar); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* var scmul function */ ++ var_smul_rwnaf(&P, scalar, &P); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++#undef RADIX ++#include "ecp.h" ++#include "mplogic.h" ++ ++/*- ++ * reverse bytes -- total hack ++ */ ++#define MP_BE2LE(a) \ ++ do { \ ++ unsigned char z_bswap; \ ++ z_bswap = a[0]; \ ++ a[0] = a[47]; \ ++ a[47] = z_bswap; \ ++ z_bswap = a[1]; \ ++ a[1] = a[46]; \ ++ a[46] = z_bswap; \ ++ z_bswap = a[2]; \ ++ a[2] = a[45]; \ ++ a[45] = z_bswap; \ ++ z_bswap = a[3]; \ ++ a[3] = a[44]; \ ++ a[44] = z_bswap; \ ++ z_bswap = a[4]; \ ++ a[4] = a[43]; \ ++ a[43] = z_bswap; \ ++ z_bswap = a[5]; \ ++ a[5] = a[42]; \ ++ a[42] = z_bswap; \ ++ z_bswap = a[6]; \ ++ a[6] = a[41]; \ ++ a[41] = z_bswap; \ ++ z_bswap = a[7]; \ ++ a[7] = a[40]; \ ++ a[40] = z_bswap; \ ++ z_bswap = a[8]; \ ++ a[8] = a[39]; \ ++ a[39] = z_bswap; \ ++ z_bswap = a[9]; \ ++ a[9] = a[38]; \ ++ a[38] = z_bswap; \ ++ z_bswap = a[10]; \ ++ a[10] = a[37]; \ ++ a[37] = z_bswap; \ ++ z_bswap = a[11]; \ ++ a[11] = a[36]; \ ++ a[36] = z_bswap; \ ++ z_bswap = a[12]; \ ++ a[12] = a[35]; \ ++ a[35] = z_bswap; \ ++ z_bswap = a[13]; \ ++ a[13] = a[34]; \ ++ a[34] = z_bswap; \ ++ z_bswap = a[14]; \ ++ a[14] = a[33]; \ ++ a[33] = z_bswap; \ ++ z_bswap = a[15]; \ ++ a[15] = a[32]; \ ++ a[32] = z_bswap; \ ++ z_bswap = a[16]; \ ++ a[16] = a[31]; \ ++ a[31] = z_bswap; \ ++ z_bswap = a[17]; \ ++ a[17] = a[30]; \ ++ a[30] = z_bswap; \ ++ z_bswap = a[18]; \ ++ a[18] = a[29]; \ ++ a[29] = z_bswap; \ ++ z_bswap = a[19]; \ ++ a[19] = a[28]; \ ++ a[28] = z_bswap; \ ++ z_bswap = a[20]; \ ++ a[20] = a[27]; \ ++ a[27] = z_bswap; \ ++ z_bswap = a[21]; \ ++ a[21] = a[26]; \ ++ a[26] = z_bswap; \ ++ z_bswap = a[22]; \ ++ a[22] = a[25]; \ ++ a[25] = z_bswap; \ ++ z_bswap = a[23]; \ ++ a[23] = a[24]; \ ++ a[24] = z_bswap; \ ++ } while (0) ++ ++static mp_err ++point_mul_g_secp384r1(const mp_int *n, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && out_x != NULL && out_y != NULL, MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_BE2LE(b_n); ++ point_mul_g(b_x, b_y, b_n); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_secp384r1(const mp_int *n, const mp_int *in_x, ++ const mp_int *in_y, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && in_x != NULL && in_y != NULL && out_x != NULL && ++ out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n); ++ point_mul(b_x, b_y, b_n, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_two_secp384r1(const mp_int *n1, const mp_int *n2, ++ const mp_int *in_x, const mp_int *in_y, ++ mp_int *out_x, mp_int *out_y, ++ const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n1[48]; ++ unsigned char b_n2[48]; ++ mp_err res; ++ ++ /* If n2 == NULL, this is just a base-point multiplication. */ ++ if (n2 == NULL) ++ return point_mul_g_secp384r1(n1, out_x, out_y, group); ++ ++ /* If n1 == NULL, this is just an arbitary-point multiplication. */ ++ if (n1 == NULL) ++ return point_mul_secp384r1(n2, in_x, in_y, out_x, out_y, group); ++ ++ ARGCHK(in_x != NULL && in_y != NULL && out_x != NULL && out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n1) > 384 || mp_cmp_z(n1) != 1 || ++ mpl_significant_bits(n2) > 384 || mp_cmp_z(n2) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n1, b_n1, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(n2, b_n2, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n1); ++ MP_BE2LE(b_n2); ++ point_mul_two(b_x, b_y, b_n1, b_n2, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++mp_err ++ec_group_set_secp384r1(ECGroup *group, ECCurveName name) ++{ ++ if (name == ECCurve_NIST_P384) { ++ group->base_point_mul = &point_mul_g_secp384r1; ++ group->point_mul = &point_mul_secp384r1; ++ group->points_mul = &point_mul_two_secp384r1; ++ } ++ return MP_OKAY; ++} ++ ++#else /* __SIZEOF_INT128__ */ ++ ++#include <stdint.h> ++#include <string.h> ++#define LIMB_BITS 32 ++#define LIMB_CNT 12 ++/* Field elements */ ++typedef uint32_t fe_t[LIMB_CNT]; ++typedef uint32_t limb_t; ++ ++#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) ++#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) ++ ++/* Projective points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++ fe_t Z; ++} pt_prj_t; ++ ++/* Affine points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++} pt_aff_t; ++ ++/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ ++/*- ++ * MIT License ++ * ++ * Copyright (c) 2020 the fiat-crypto authors (see the AUTHORS file) ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++/* Autogenerated: word_by_word_montgomery --static secp384r1 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ ++/* curve description: secp384r1 */ ++/* machine_wordsize = 32 (from "32") */ ++/* requested operations: (all) */ ++/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ ++/* */ ++/* NOTE: In addition to the bounds specified above each function, all */ ++/* functions synthesized for this Montgomery arithmetic require the */ ++/* input to be strictly less than the prime modulus (m), and also */ ++/* require the input to be in the unique saturated representation. */ ++/* All functions also ensure that these two properties are true of */ ++/* return values. */ ++/* */ ++/* Computed values: */ ++/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ ++/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ ++ ++#include <stdint.h> ++typedef unsigned char fiat_secp384r1_uint1; ++typedef signed char fiat_secp384r1_int1; ++ ++#if (-1 & 3) != 3 ++#error "This code only works on a two's complement system" ++#endif ++ ++/* ++ * The function fiat_secp384r1_addcarryx_u32 is an addition with carry. ++ * Postconditions: ++ * out1 = (arg1 + arg2 + arg3) mod 2^32 ++ * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffff] ++ * arg3: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_addcarryx_u32(uint32_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint32_t arg2, uint32_t arg3) ++{ ++ uint64_t x1; ++ uint32_t x2; ++ fiat_secp384r1_uint1 x3; ++ x1 = ((arg1 + (uint64_t)arg2) + arg3); ++ x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); ++ x3 = (fiat_secp384r1_uint1)(x1 >> 32); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_subborrowx_u32 is a subtraction with borrow. ++ * Postconditions: ++ * out1 = (-arg1 + arg2 + -arg3) mod 2^32 ++ * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffff] ++ * arg3: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_subborrowx_u32(uint32_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint32_t arg2, uint32_t arg3) ++{ ++ int64_t x1; ++ fiat_secp384r1_int1 x2; ++ uint32_t x3; ++ x1 = ((arg2 - (int64_t)arg1) - arg3); ++ x2 = (fiat_secp384r1_int1)(x1 >> 32); ++ x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); ++ *out1 = x3; ++ *out2 = (fiat_secp384r1_uint1)(0x0 - x2); ++} ++ ++/* ++ * The function fiat_secp384r1_mulx_u32 is a multiplication, returning the full double-width result. ++ * Postconditions: ++ * out1 = (arg1 * arg2) mod 2^32 ++ * out2 = ⌊arg1 * arg2 / 2^32⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0xffffffff] ++ * arg2: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ * out2: [0x0 ~> 0xffffffff] ++ */ ++static void ++fiat_secp384r1_mulx_u32(uint32_t *out1, uint32_t *out2, ++ uint32_t arg1, uint32_t arg2) ++{ ++ uint64_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ x1 = ((uint64_t)arg1 * arg2); ++ x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); ++ x3 = (uint32_t)(x1 >> 32); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_cmovznz_u32 is a single-word conditional move. ++ * Postconditions: ++ * out1 = (if arg1 = 0 then arg2 else arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffff] ++ * arg3: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ */ ++static void ++fiat_secp384r1_cmovznz_u32(uint32_t *out1, ++ fiat_secp384r1_uint1 arg1, uint32_t arg2, ++ uint32_t arg3) ++{ ++ fiat_secp384r1_uint1 x1; ++ uint32_t x2; ++ uint32_t x3; ++ x1 = (!(!arg1)); ++ x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT32_C(0xffffffff)); ++ x3 = ((x2 & arg3) | ((~x2) & arg2)); ++ *out1 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_mul(uint32_t out1[12], const uint32_t arg1[12], ++ const uint32_t arg2[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ uint32_t x23; ++ uint32_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint32_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint32_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint32_t x36; ++ uint32_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint32_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint32_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint32_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint32_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint32_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ uint32_t x63; ++ uint32_t x64; ++ uint32_t x65; ++ uint32_t x66; ++ uint32_t x67; ++ uint32_t x68; ++ uint32_t x69; ++ uint32_t x70; ++ uint32_t x71; ++ uint32_t x72; ++ uint32_t x73; ++ uint32_t x74; ++ uint32_t x75; ++ uint32_t x76; ++ uint32_t x77; ++ uint32_t x78; ++ uint32_t x79; ++ uint32_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint32_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint32_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint32_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint32_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint32_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint32_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint32_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint32_t x96; ++ uint32_t x97; ++ fiat_secp384r1_uint1 x98; ++ uint32_t x99; ++ fiat_secp384r1_uint1 x100; ++ uint32_t x101; ++ fiat_secp384r1_uint1 x102; ++ uint32_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint32_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint32_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint32_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint32_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint32_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint32_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint32_t x117; ++ fiat_secp384r1_uint1 x118; ++ uint32_t x119; ++ fiat_secp384r1_uint1 x120; ++ uint32_t x121; ++ fiat_secp384r1_uint1 x122; ++ uint32_t x123; ++ uint32_t x124; ++ uint32_t x125; ++ uint32_t x126; ++ uint32_t x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ uint32_t x138; ++ uint32_t x139; ++ uint32_t x140; ++ uint32_t x141; ++ uint32_t x142; ++ uint32_t x143; ++ uint32_t x144; ++ uint32_t x145; ++ uint32_t x146; ++ uint32_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint32_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint32_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint32_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint32_t x155; ++ fiat_secp384r1_uint1 x156; ++ uint32_t x157; ++ fiat_secp384r1_uint1 x158; ++ uint32_t x159; ++ fiat_secp384r1_uint1 x160; ++ uint32_t x161; ++ fiat_secp384r1_uint1 x162; ++ uint32_t x163; ++ fiat_secp384r1_uint1 x164; ++ uint32_t x165; ++ fiat_secp384r1_uint1 x166; ++ uint32_t x167; ++ fiat_secp384r1_uint1 x168; ++ uint32_t x169; ++ uint32_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint32_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint32_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint32_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint32_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint32_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint32_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint32_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint32_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint32_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint32_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint32_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint32_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint32_t x196; ++ uint32_t x197; ++ uint32_t x198; ++ uint32_t x199; ++ uint32_t x200; ++ uint32_t x201; ++ uint32_t x202; ++ uint32_t x203; ++ uint32_t x204; ++ uint32_t x205; ++ uint32_t x206; ++ uint32_t x207; ++ uint32_t x208; ++ uint32_t x209; ++ uint32_t x210; ++ uint32_t x211; ++ uint32_t x212; ++ uint32_t x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint32_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint32_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint32_t x222; ++ fiat_secp384r1_uint1 x223; ++ uint32_t x224; ++ fiat_secp384r1_uint1 x225; ++ uint32_t x226; ++ fiat_secp384r1_uint1 x227; ++ uint32_t x228; ++ fiat_secp384r1_uint1 x229; ++ uint32_t x230; ++ fiat_secp384r1_uint1 x231; ++ uint32_t x232; ++ uint32_t x233; ++ fiat_secp384r1_uint1 x234; ++ uint32_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint32_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint32_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint32_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint32_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint32_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint32_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint32_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint32_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint32_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint32_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint32_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint32_t x259; ++ uint32_t x260; ++ uint32_t x261; ++ uint32_t x262; ++ uint32_t x263; ++ uint32_t x264; ++ uint32_t x265; ++ uint32_t x266; ++ uint32_t x267; ++ uint32_t x268; ++ uint32_t x269; ++ uint32_t x270; ++ uint32_t x271; ++ uint32_t x272; ++ uint32_t x273; ++ uint32_t x274; ++ uint32_t x275; ++ uint32_t x276; ++ uint32_t x277; ++ uint32_t x278; ++ uint32_t x279; ++ uint32_t x280; ++ uint32_t x281; ++ uint32_t x282; ++ uint32_t x283; ++ uint32_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint32_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint32_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint32_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint32_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint32_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint32_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint32_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint32_t x300; ++ fiat_secp384r1_uint1 x301; ++ uint32_t x302; ++ fiat_secp384r1_uint1 x303; ++ uint32_t x304; ++ fiat_secp384r1_uint1 x305; ++ uint32_t x306; ++ uint32_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint32_t x309; ++ fiat_secp384r1_uint1 x310; ++ uint32_t x311; ++ fiat_secp384r1_uint1 x312; ++ uint32_t x313; ++ fiat_secp384r1_uint1 x314; ++ uint32_t x315; ++ fiat_secp384r1_uint1 x316; ++ uint32_t x317; ++ fiat_secp384r1_uint1 x318; ++ uint32_t x319; ++ fiat_secp384r1_uint1 x320; ++ uint32_t x321; ++ fiat_secp384r1_uint1 x322; ++ uint32_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint32_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint32_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint32_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint32_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint32_t x333; ++ uint32_t x334; ++ uint32_t x335; ++ uint32_t x336; ++ uint32_t x337; ++ uint32_t x338; ++ uint32_t x339; ++ uint32_t x340; ++ uint32_t x341; ++ uint32_t x342; ++ uint32_t x343; ++ uint32_t x344; ++ uint32_t x345; ++ uint32_t x346; ++ uint32_t x347; ++ uint32_t x348; ++ uint32_t x349; ++ uint32_t x350; ++ uint32_t x351; ++ uint32_t x352; ++ uint32_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint32_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint32_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint32_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint32_t x361; ++ fiat_secp384r1_uint1 x362; ++ uint32_t x363; ++ fiat_secp384r1_uint1 x364; ++ uint32_t x365; ++ fiat_secp384r1_uint1 x366; ++ uint32_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint32_t x369; ++ uint32_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint32_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint32_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint32_t x376; ++ fiat_secp384r1_uint1 x377; ++ uint32_t x378; ++ fiat_secp384r1_uint1 x379; ++ uint32_t x380; ++ fiat_secp384r1_uint1 x381; ++ uint32_t x382; ++ fiat_secp384r1_uint1 x383; ++ uint32_t x384; ++ fiat_secp384r1_uint1 x385; ++ uint32_t x386; ++ fiat_secp384r1_uint1 x387; ++ uint32_t x388; ++ fiat_secp384r1_uint1 x389; ++ uint32_t x390; ++ fiat_secp384r1_uint1 x391; ++ uint32_t x392; ++ fiat_secp384r1_uint1 x393; ++ uint32_t x394; ++ fiat_secp384r1_uint1 x395; ++ uint32_t x396; ++ uint32_t x397; ++ uint32_t x398; ++ uint32_t x399; ++ uint32_t x400; ++ uint32_t x401; ++ uint32_t x402; ++ uint32_t x403; ++ uint32_t x404; ++ uint32_t x405; ++ uint32_t x406; ++ uint32_t x407; ++ uint32_t x408; ++ uint32_t x409; ++ uint32_t x410; ++ uint32_t x411; ++ uint32_t x412; ++ uint32_t x413; ++ uint32_t x414; ++ uint32_t x415; ++ uint32_t x416; ++ uint32_t x417; ++ uint32_t x418; ++ uint32_t x419; ++ uint32_t x420; ++ uint32_t x421; ++ fiat_secp384r1_uint1 x422; ++ uint32_t x423; ++ fiat_secp384r1_uint1 x424; ++ uint32_t x425; ++ fiat_secp384r1_uint1 x426; ++ uint32_t x427; ++ fiat_secp384r1_uint1 x428; ++ uint32_t x429; ++ fiat_secp384r1_uint1 x430; ++ uint32_t x431; ++ fiat_secp384r1_uint1 x432; ++ uint32_t x433; ++ fiat_secp384r1_uint1 x434; ++ uint32_t x435; ++ fiat_secp384r1_uint1 x436; ++ uint32_t x437; ++ fiat_secp384r1_uint1 x438; ++ uint32_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint32_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint32_t x443; ++ uint32_t x444; ++ fiat_secp384r1_uint1 x445; ++ uint32_t x446; ++ fiat_secp384r1_uint1 x447; ++ uint32_t x448; ++ fiat_secp384r1_uint1 x449; ++ uint32_t x450; ++ fiat_secp384r1_uint1 x451; ++ uint32_t x452; ++ fiat_secp384r1_uint1 x453; ++ uint32_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint32_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint32_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint32_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint32_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint32_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint32_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint32_t x468; ++ fiat_secp384r1_uint1 x469; ++ uint32_t x470; ++ uint32_t x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ uint32_t x476; ++ uint32_t x477; ++ uint32_t x478; ++ uint32_t x479; ++ uint32_t x480; ++ uint32_t x481; ++ uint32_t x482; ++ uint32_t x483; ++ uint32_t x484; ++ uint32_t x485; ++ uint32_t x486; ++ uint32_t x487; ++ uint32_t x488; ++ uint32_t x489; ++ uint32_t x490; ++ fiat_secp384r1_uint1 x491; ++ uint32_t x492; ++ fiat_secp384r1_uint1 x493; ++ uint32_t x494; ++ fiat_secp384r1_uint1 x495; ++ uint32_t x496; ++ fiat_secp384r1_uint1 x497; ++ uint32_t x498; ++ fiat_secp384r1_uint1 x499; ++ uint32_t x500; ++ fiat_secp384r1_uint1 x501; ++ uint32_t x502; ++ fiat_secp384r1_uint1 x503; ++ uint32_t x504; ++ fiat_secp384r1_uint1 x505; ++ uint32_t x506; ++ uint32_t x507; ++ fiat_secp384r1_uint1 x508; ++ uint32_t x509; ++ fiat_secp384r1_uint1 x510; ++ uint32_t x511; ++ fiat_secp384r1_uint1 x512; ++ uint32_t x513; ++ fiat_secp384r1_uint1 x514; ++ uint32_t x515; ++ fiat_secp384r1_uint1 x516; ++ uint32_t x517; ++ fiat_secp384r1_uint1 x518; ++ uint32_t x519; ++ fiat_secp384r1_uint1 x520; ++ uint32_t x521; ++ fiat_secp384r1_uint1 x522; ++ uint32_t x523; ++ fiat_secp384r1_uint1 x524; ++ uint32_t x525; ++ fiat_secp384r1_uint1 x526; ++ uint32_t x527; ++ fiat_secp384r1_uint1 x528; ++ uint32_t x529; ++ fiat_secp384r1_uint1 x530; ++ uint32_t x531; ++ fiat_secp384r1_uint1 x532; ++ uint32_t x533; ++ uint32_t x534; ++ uint32_t x535; ++ uint32_t x536; ++ uint32_t x537; ++ uint32_t x538; ++ uint32_t x539; ++ uint32_t x540; ++ uint32_t x541; ++ uint32_t x542; ++ uint32_t x543; ++ uint32_t x544; ++ uint32_t x545; ++ uint32_t x546; ++ uint32_t x547; ++ uint32_t x548; ++ uint32_t x549; ++ uint32_t x550; ++ uint32_t x551; ++ uint32_t x552; ++ uint32_t x553; ++ uint32_t x554; ++ uint32_t x555; ++ uint32_t x556; ++ uint32_t x557; ++ uint32_t x558; ++ fiat_secp384r1_uint1 x559; ++ uint32_t x560; ++ fiat_secp384r1_uint1 x561; ++ uint32_t x562; ++ fiat_secp384r1_uint1 x563; ++ uint32_t x564; ++ fiat_secp384r1_uint1 x565; ++ uint32_t x566; ++ fiat_secp384r1_uint1 x567; ++ uint32_t x568; ++ fiat_secp384r1_uint1 x569; ++ uint32_t x570; ++ fiat_secp384r1_uint1 x571; ++ uint32_t x572; ++ fiat_secp384r1_uint1 x573; ++ uint32_t x574; ++ fiat_secp384r1_uint1 x575; ++ uint32_t x576; ++ fiat_secp384r1_uint1 x577; ++ uint32_t x578; ++ fiat_secp384r1_uint1 x579; ++ uint32_t x580; ++ uint32_t x581; ++ fiat_secp384r1_uint1 x582; ++ uint32_t x583; ++ fiat_secp384r1_uint1 x584; ++ uint32_t x585; ++ fiat_secp384r1_uint1 x586; ++ uint32_t x587; ++ fiat_secp384r1_uint1 x588; ++ uint32_t x589; ++ fiat_secp384r1_uint1 x590; ++ uint32_t x591; ++ fiat_secp384r1_uint1 x592; ++ uint32_t x593; ++ fiat_secp384r1_uint1 x594; ++ uint32_t x595; ++ fiat_secp384r1_uint1 x596; ++ uint32_t x597; ++ fiat_secp384r1_uint1 x598; ++ uint32_t x599; ++ fiat_secp384r1_uint1 x600; ++ uint32_t x601; ++ fiat_secp384r1_uint1 x602; ++ uint32_t x603; ++ fiat_secp384r1_uint1 x604; ++ uint32_t x605; ++ fiat_secp384r1_uint1 x606; ++ uint32_t x607; ++ uint32_t x608; ++ uint32_t x609; ++ uint32_t x610; ++ uint32_t x611; ++ uint32_t x612; ++ uint32_t x613; ++ uint32_t x614; ++ uint32_t x615; ++ uint32_t x616; ++ uint32_t x617; ++ uint32_t x618; ++ uint32_t x619; ++ uint32_t x620; ++ uint32_t x621; ++ uint32_t x622; ++ uint32_t x623; ++ uint32_t x624; ++ uint32_t x625; ++ uint32_t x626; ++ uint32_t x627; ++ fiat_secp384r1_uint1 x628; ++ uint32_t x629; ++ fiat_secp384r1_uint1 x630; ++ uint32_t x631; ++ fiat_secp384r1_uint1 x632; ++ uint32_t x633; ++ fiat_secp384r1_uint1 x634; ++ uint32_t x635; ++ fiat_secp384r1_uint1 x636; ++ uint32_t x637; ++ fiat_secp384r1_uint1 x638; ++ uint32_t x639; ++ fiat_secp384r1_uint1 x640; ++ uint32_t x641; ++ fiat_secp384r1_uint1 x642; ++ uint32_t x643; ++ uint32_t x644; ++ fiat_secp384r1_uint1 x645; ++ uint32_t x646; ++ fiat_secp384r1_uint1 x647; ++ uint32_t x648; ++ fiat_secp384r1_uint1 x649; ++ uint32_t x650; ++ fiat_secp384r1_uint1 x651; ++ uint32_t x652; ++ fiat_secp384r1_uint1 x653; ++ uint32_t x654; ++ fiat_secp384r1_uint1 x655; ++ uint32_t x656; ++ fiat_secp384r1_uint1 x657; ++ uint32_t x658; ++ fiat_secp384r1_uint1 x659; ++ uint32_t x660; ++ fiat_secp384r1_uint1 x661; ++ uint32_t x662; ++ fiat_secp384r1_uint1 x663; ++ uint32_t x664; ++ fiat_secp384r1_uint1 x665; ++ uint32_t x666; ++ fiat_secp384r1_uint1 x667; ++ uint32_t x668; ++ fiat_secp384r1_uint1 x669; ++ uint32_t x670; ++ uint32_t x671; ++ uint32_t x672; ++ uint32_t x673; ++ uint32_t x674; ++ uint32_t x675; ++ uint32_t x676; ++ uint32_t x677; ++ uint32_t x678; ++ uint32_t x679; ++ uint32_t x680; ++ uint32_t x681; ++ uint32_t x682; ++ uint32_t x683; ++ uint32_t x684; ++ uint32_t x685; ++ uint32_t x686; ++ uint32_t x687; ++ uint32_t x688; ++ uint32_t x689; ++ uint32_t x690; ++ uint32_t x691; ++ uint32_t x692; ++ uint32_t x693; ++ uint32_t x694; ++ uint32_t x695; ++ fiat_secp384r1_uint1 x696; ++ uint32_t x697; ++ fiat_secp384r1_uint1 x698; ++ uint32_t x699; ++ fiat_secp384r1_uint1 x700; ++ uint32_t x701; ++ fiat_secp384r1_uint1 x702; ++ uint32_t x703; ++ fiat_secp384r1_uint1 x704; ++ uint32_t x705; ++ fiat_secp384r1_uint1 x706; ++ uint32_t x707; ++ fiat_secp384r1_uint1 x708; ++ uint32_t x709; ++ fiat_secp384r1_uint1 x710; ++ uint32_t x711; ++ fiat_secp384r1_uint1 x712; ++ uint32_t x713; ++ fiat_secp384r1_uint1 x714; ++ uint32_t x715; ++ fiat_secp384r1_uint1 x716; ++ uint32_t x717; ++ uint32_t x718; ++ fiat_secp384r1_uint1 x719; ++ uint32_t x720; ++ fiat_secp384r1_uint1 x721; ++ uint32_t x722; ++ fiat_secp384r1_uint1 x723; ++ uint32_t x724; ++ fiat_secp384r1_uint1 x725; ++ uint32_t x726; ++ fiat_secp384r1_uint1 x727; ++ uint32_t x728; ++ fiat_secp384r1_uint1 x729; ++ uint32_t x730; ++ fiat_secp384r1_uint1 x731; ++ uint32_t x732; ++ fiat_secp384r1_uint1 x733; ++ uint32_t x734; ++ fiat_secp384r1_uint1 x735; ++ uint32_t x736; ++ fiat_secp384r1_uint1 x737; ++ uint32_t x738; ++ fiat_secp384r1_uint1 x739; ++ uint32_t x740; ++ fiat_secp384r1_uint1 x741; ++ uint32_t x742; ++ fiat_secp384r1_uint1 x743; ++ uint32_t x744; ++ uint32_t x745; ++ uint32_t x746; ++ uint32_t x747; ++ uint32_t x748; ++ uint32_t x749; ++ uint32_t x750; ++ uint32_t x751; ++ uint32_t x752; ++ uint32_t x753; ++ uint32_t x754; ++ uint32_t x755; ++ uint32_t x756; ++ uint32_t x757; ++ uint32_t x758; ++ uint32_t x759; ++ uint32_t x760; ++ uint32_t x761; ++ uint32_t x762; ++ uint32_t x763; ++ uint32_t x764; ++ fiat_secp384r1_uint1 x765; ++ uint32_t x766; ++ fiat_secp384r1_uint1 x767; ++ uint32_t x768; ++ fiat_secp384r1_uint1 x769; ++ uint32_t x770; ++ fiat_secp384r1_uint1 x771; ++ uint32_t x772; ++ fiat_secp384r1_uint1 x773; ++ uint32_t x774; ++ fiat_secp384r1_uint1 x775; ++ uint32_t x776; ++ fiat_secp384r1_uint1 x777; ++ uint32_t x778; ++ fiat_secp384r1_uint1 x779; ++ uint32_t x780; ++ uint32_t x781; ++ fiat_secp384r1_uint1 x782; ++ uint32_t x783; ++ fiat_secp384r1_uint1 x784; ++ uint32_t x785; ++ fiat_secp384r1_uint1 x786; ++ uint32_t x787; ++ fiat_secp384r1_uint1 x788; ++ uint32_t x789; ++ fiat_secp384r1_uint1 x790; ++ uint32_t x791; ++ fiat_secp384r1_uint1 x792; ++ uint32_t x793; ++ fiat_secp384r1_uint1 x794; ++ uint32_t x795; ++ fiat_secp384r1_uint1 x796; ++ uint32_t x797; ++ fiat_secp384r1_uint1 x798; ++ uint32_t x799; ++ fiat_secp384r1_uint1 x800; ++ uint32_t x801; ++ fiat_secp384r1_uint1 x802; ++ uint32_t x803; ++ fiat_secp384r1_uint1 x804; ++ uint32_t x805; ++ fiat_secp384r1_uint1 x806; ++ uint32_t x807; ++ uint32_t x808; ++ uint32_t x809; ++ uint32_t x810; ++ uint32_t x811; ++ uint32_t x812; ++ uint32_t x813; ++ uint32_t x814; ++ uint32_t x815; ++ uint32_t x816; ++ uint32_t x817; ++ uint32_t x818; ++ uint32_t x819; ++ uint32_t x820; ++ uint32_t x821; ++ uint32_t x822; ++ uint32_t x823; ++ uint32_t x824; ++ uint32_t x825; ++ uint32_t x826; ++ uint32_t x827; ++ uint32_t x828; ++ uint32_t x829; ++ uint32_t x830; ++ uint32_t x831; ++ uint32_t x832; ++ fiat_secp384r1_uint1 x833; ++ uint32_t x834; ++ fiat_secp384r1_uint1 x835; ++ uint32_t x836; ++ fiat_secp384r1_uint1 x837; ++ uint32_t x838; ++ fiat_secp384r1_uint1 x839; ++ uint32_t x840; ++ fiat_secp384r1_uint1 x841; ++ uint32_t x842; ++ fiat_secp384r1_uint1 x843; ++ uint32_t x844; ++ fiat_secp384r1_uint1 x845; ++ uint32_t x846; ++ fiat_secp384r1_uint1 x847; ++ uint32_t x848; ++ fiat_secp384r1_uint1 x849; ++ uint32_t x850; ++ fiat_secp384r1_uint1 x851; ++ uint32_t x852; ++ fiat_secp384r1_uint1 x853; ++ uint32_t x854; ++ uint32_t x855; ++ fiat_secp384r1_uint1 x856; ++ uint32_t x857; ++ fiat_secp384r1_uint1 x858; ++ uint32_t x859; ++ fiat_secp384r1_uint1 x860; ++ uint32_t x861; ++ fiat_secp384r1_uint1 x862; ++ uint32_t x863; ++ fiat_secp384r1_uint1 x864; ++ uint32_t x865; ++ fiat_secp384r1_uint1 x866; ++ uint32_t x867; ++ fiat_secp384r1_uint1 x868; ++ uint32_t x869; ++ fiat_secp384r1_uint1 x870; ++ uint32_t x871; ++ fiat_secp384r1_uint1 x872; ++ uint32_t x873; ++ fiat_secp384r1_uint1 x874; ++ uint32_t x875; ++ fiat_secp384r1_uint1 x876; ++ uint32_t x877; ++ fiat_secp384r1_uint1 x878; ++ uint32_t x879; ++ fiat_secp384r1_uint1 x880; ++ uint32_t x881; ++ uint32_t x882; ++ uint32_t x883; ++ uint32_t x884; ++ uint32_t x885; ++ uint32_t x886; ++ uint32_t x887; ++ uint32_t x888; ++ uint32_t x889; ++ uint32_t x890; ++ uint32_t x891; ++ uint32_t x892; ++ uint32_t x893; ++ uint32_t x894; ++ uint32_t x895; ++ uint32_t x896; ++ uint32_t x897; ++ uint32_t x898; ++ uint32_t x899; ++ uint32_t x900; ++ uint32_t x901; ++ fiat_secp384r1_uint1 x902; ++ uint32_t x903; ++ fiat_secp384r1_uint1 x904; ++ uint32_t x905; ++ fiat_secp384r1_uint1 x906; ++ uint32_t x907; ++ fiat_secp384r1_uint1 x908; ++ uint32_t x909; ++ fiat_secp384r1_uint1 x910; ++ uint32_t x911; ++ fiat_secp384r1_uint1 x912; ++ uint32_t x913; ++ fiat_secp384r1_uint1 x914; ++ uint32_t x915; ++ fiat_secp384r1_uint1 x916; ++ uint32_t x917; ++ uint32_t x918; ++ fiat_secp384r1_uint1 x919; ++ uint32_t x920; ++ fiat_secp384r1_uint1 x921; ++ uint32_t x922; ++ fiat_secp384r1_uint1 x923; ++ uint32_t x924; ++ fiat_secp384r1_uint1 x925; ++ uint32_t x926; ++ fiat_secp384r1_uint1 x927; ++ uint32_t x928; ++ fiat_secp384r1_uint1 x929; ++ uint32_t x930; ++ fiat_secp384r1_uint1 x931; ++ uint32_t x932; ++ fiat_secp384r1_uint1 x933; ++ uint32_t x934; ++ fiat_secp384r1_uint1 x935; ++ uint32_t x936; ++ fiat_secp384r1_uint1 x937; ++ uint32_t x938; ++ fiat_secp384r1_uint1 x939; ++ uint32_t x940; ++ fiat_secp384r1_uint1 x941; ++ uint32_t x942; ++ fiat_secp384r1_uint1 x943; ++ uint32_t x944; ++ uint32_t x945; ++ uint32_t x946; ++ uint32_t x947; ++ uint32_t x948; ++ uint32_t x949; ++ uint32_t x950; ++ uint32_t x951; ++ uint32_t x952; ++ uint32_t x953; ++ uint32_t x954; ++ uint32_t x955; ++ uint32_t x956; ++ uint32_t x957; ++ uint32_t x958; ++ uint32_t x959; ++ uint32_t x960; ++ uint32_t x961; ++ uint32_t x962; ++ uint32_t x963; ++ uint32_t x964; ++ uint32_t x965; ++ uint32_t x966; ++ uint32_t x967; ++ uint32_t x968; ++ uint32_t x969; ++ fiat_secp384r1_uint1 x970; ++ uint32_t x971; ++ fiat_secp384r1_uint1 x972; ++ uint32_t x973; ++ fiat_secp384r1_uint1 x974; ++ uint32_t x975; ++ fiat_secp384r1_uint1 x976; ++ uint32_t x977; ++ fiat_secp384r1_uint1 x978; ++ uint32_t x979; ++ fiat_secp384r1_uint1 x980; ++ uint32_t x981; ++ fiat_secp384r1_uint1 x982; ++ uint32_t x983; ++ fiat_secp384r1_uint1 x984; ++ uint32_t x985; ++ fiat_secp384r1_uint1 x986; ++ uint32_t x987; ++ fiat_secp384r1_uint1 x988; ++ uint32_t x989; ++ fiat_secp384r1_uint1 x990; ++ uint32_t x991; ++ uint32_t x992; ++ fiat_secp384r1_uint1 x993; ++ uint32_t x994; ++ fiat_secp384r1_uint1 x995; ++ uint32_t x996; ++ fiat_secp384r1_uint1 x997; ++ uint32_t x998; ++ fiat_secp384r1_uint1 x999; ++ uint32_t x1000; ++ fiat_secp384r1_uint1 x1001; ++ uint32_t x1002; ++ fiat_secp384r1_uint1 x1003; ++ uint32_t x1004; ++ fiat_secp384r1_uint1 x1005; ++ uint32_t x1006; ++ fiat_secp384r1_uint1 x1007; ++ uint32_t x1008; ++ fiat_secp384r1_uint1 x1009; ++ uint32_t x1010; ++ fiat_secp384r1_uint1 x1011; ++ uint32_t x1012; ++ fiat_secp384r1_uint1 x1013; ++ uint32_t x1014; ++ fiat_secp384r1_uint1 x1015; ++ uint32_t x1016; ++ fiat_secp384r1_uint1 x1017; ++ uint32_t x1018; ++ uint32_t x1019; ++ uint32_t x1020; ++ uint32_t x1021; ++ uint32_t x1022; ++ uint32_t x1023; ++ uint32_t x1024; ++ uint32_t x1025; ++ uint32_t x1026; ++ uint32_t x1027; ++ uint32_t x1028; ++ uint32_t x1029; ++ uint32_t x1030; ++ uint32_t x1031; ++ uint32_t x1032; ++ uint32_t x1033; ++ uint32_t x1034; ++ uint32_t x1035; ++ uint32_t x1036; ++ uint32_t x1037; ++ uint32_t x1038; ++ fiat_secp384r1_uint1 x1039; ++ uint32_t x1040; ++ fiat_secp384r1_uint1 x1041; ++ uint32_t x1042; ++ fiat_secp384r1_uint1 x1043; ++ uint32_t x1044; ++ fiat_secp384r1_uint1 x1045; ++ uint32_t x1046; ++ fiat_secp384r1_uint1 x1047; ++ uint32_t x1048; ++ fiat_secp384r1_uint1 x1049; ++ uint32_t x1050; ++ fiat_secp384r1_uint1 x1051; ++ uint32_t x1052; ++ fiat_secp384r1_uint1 x1053; ++ uint32_t x1054; ++ uint32_t x1055; ++ fiat_secp384r1_uint1 x1056; ++ uint32_t x1057; ++ fiat_secp384r1_uint1 x1058; ++ uint32_t x1059; ++ fiat_secp384r1_uint1 x1060; ++ uint32_t x1061; ++ fiat_secp384r1_uint1 x1062; ++ uint32_t x1063; ++ fiat_secp384r1_uint1 x1064; ++ uint32_t x1065; ++ fiat_secp384r1_uint1 x1066; ++ uint32_t x1067; ++ fiat_secp384r1_uint1 x1068; ++ uint32_t x1069; ++ fiat_secp384r1_uint1 x1070; ++ uint32_t x1071; ++ fiat_secp384r1_uint1 x1072; ++ uint32_t x1073; ++ fiat_secp384r1_uint1 x1074; ++ uint32_t x1075; ++ fiat_secp384r1_uint1 x1076; ++ uint32_t x1077; ++ fiat_secp384r1_uint1 x1078; ++ uint32_t x1079; ++ fiat_secp384r1_uint1 x1080; ++ uint32_t x1081; ++ uint32_t x1082; ++ uint32_t x1083; ++ uint32_t x1084; ++ uint32_t x1085; ++ uint32_t x1086; ++ uint32_t x1087; ++ uint32_t x1088; ++ uint32_t x1089; ++ uint32_t x1090; ++ uint32_t x1091; ++ uint32_t x1092; ++ uint32_t x1093; ++ uint32_t x1094; ++ uint32_t x1095; ++ uint32_t x1096; ++ uint32_t x1097; ++ uint32_t x1098; ++ uint32_t x1099; ++ uint32_t x1100; ++ uint32_t x1101; ++ uint32_t x1102; ++ uint32_t x1103; ++ uint32_t x1104; ++ uint32_t x1105; ++ uint32_t x1106; ++ fiat_secp384r1_uint1 x1107; ++ uint32_t x1108; ++ fiat_secp384r1_uint1 x1109; ++ uint32_t x1110; ++ fiat_secp384r1_uint1 x1111; ++ uint32_t x1112; ++ fiat_secp384r1_uint1 x1113; ++ uint32_t x1114; ++ fiat_secp384r1_uint1 x1115; ++ uint32_t x1116; ++ fiat_secp384r1_uint1 x1117; ++ uint32_t x1118; ++ fiat_secp384r1_uint1 x1119; ++ uint32_t x1120; ++ fiat_secp384r1_uint1 x1121; ++ uint32_t x1122; ++ fiat_secp384r1_uint1 x1123; ++ uint32_t x1124; ++ fiat_secp384r1_uint1 x1125; ++ uint32_t x1126; ++ fiat_secp384r1_uint1 x1127; ++ uint32_t x1128; ++ uint32_t x1129; ++ fiat_secp384r1_uint1 x1130; ++ uint32_t x1131; ++ fiat_secp384r1_uint1 x1132; ++ uint32_t x1133; ++ fiat_secp384r1_uint1 x1134; ++ uint32_t x1135; ++ fiat_secp384r1_uint1 x1136; ++ uint32_t x1137; ++ fiat_secp384r1_uint1 x1138; ++ uint32_t x1139; ++ fiat_secp384r1_uint1 x1140; ++ uint32_t x1141; ++ fiat_secp384r1_uint1 x1142; ++ uint32_t x1143; ++ fiat_secp384r1_uint1 x1144; ++ uint32_t x1145; ++ fiat_secp384r1_uint1 x1146; ++ uint32_t x1147; ++ fiat_secp384r1_uint1 x1148; ++ uint32_t x1149; ++ fiat_secp384r1_uint1 x1150; ++ uint32_t x1151; ++ fiat_secp384r1_uint1 x1152; ++ uint32_t x1153; ++ fiat_secp384r1_uint1 x1154; ++ uint32_t x1155; ++ uint32_t x1156; ++ uint32_t x1157; ++ uint32_t x1158; ++ uint32_t x1159; ++ uint32_t x1160; ++ uint32_t x1161; ++ uint32_t x1162; ++ uint32_t x1163; ++ uint32_t x1164; ++ uint32_t x1165; ++ uint32_t x1166; ++ uint32_t x1167; ++ uint32_t x1168; ++ uint32_t x1169; ++ uint32_t x1170; ++ uint32_t x1171; ++ uint32_t x1172; ++ uint32_t x1173; ++ uint32_t x1174; ++ uint32_t x1175; ++ fiat_secp384r1_uint1 x1176; ++ uint32_t x1177; ++ fiat_secp384r1_uint1 x1178; ++ uint32_t x1179; ++ fiat_secp384r1_uint1 x1180; ++ uint32_t x1181; ++ fiat_secp384r1_uint1 x1182; ++ uint32_t x1183; ++ fiat_secp384r1_uint1 x1184; ++ uint32_t x1185; ++ fiat_secp384r1_uint1 x1186; ++ uint32_t x1187; ++ fiat_secp384r1_uint1 x1188; ++ uint32_t x1189; ++ fiat_secp384r1_uint1 x1190; ++ uint32_t x1191; ++ uint32_t x1192; ++ fiat_secp384r1_uint1 x1193; ++ uint32_t x1194; ++ fiat_secp384r1_uint1 x1195; ++ uint32_t x1196; ++ fiat_secp384r1_uint1 x1197; ++ uint32_t x1198; ++ fiat_secp384r1_uint1 x1199; ++ uint32_t x1200; ++ fiat_secp384r1_uint1 x1201; ++ uint32_t x1202; ++ fiat_secp384r1_uint1 x1203; ++ uint32_t x1204; ++ fiat_secp384r1_uint1 x1205; ++ uint32_t x1206; ++ fiat_secp384r1_uint1 x1207; ++ uint32_t x1208; ++ fiat_secp384r1_uint1 x1209; ++ uint32_t x1210; ++ fiat_secp384r1_uint1 x1211; ++ uint32_t x1212; ++ fiat_secp384r1_uint1 x1213; ++ uint32_t x1214; ++ fiat_secp384r1_uint1 x1215; ++ uint32_t x1216; ++ fiat_secp384r1_uint1 x1217; ++ uint32_t x1218; ++ uint32_t x1219; ++ uint32_t x1220; ++ uint32_t x1221; ++ uint32_t x1222; ++ uint32_t x1223; ++ uint32_t x1224; ++ uint32_t x1225; ++ uint32_t x1226; ++ uint32_t x1227; ++ uint32_t x1228; ++ uint32_t x1229; ++ uint32_t x1230; ++ uint32_t x1231; ++ uint32_t x1232; ++ uint32_t x1233; ++ uint32_t x1234; ++ uint32_t x1235; ++ uint32_t x1236; ++ uint32_t x1237; ++ uint32_t x1238; ++ uint32_t x1239; ++ uint32_t x1240; ++ uint32_t x1241; ++ uint32_t x1242; ++ uint32_t x1243; ++ fiat_secp384r1_uint1 x1244; ++ uint32_t x1245; ++ fiat_secp384r1_uint1 x1246; ++ uint32_t x1247; ++ fiat_secp384r1_uint1 x1248; ++ uint32_t x1249; ++ fiat_secp384r1_uint1 x1250; ++ uint32_t x1251; ++ fiat_secp384r1_uint1 x1252; ++ uint32_t x1253; ++ fiat_secp384r1_uint1 x1254; ++ uint32_t x1255; ++ fiat_secp384r1_uint1 x1256; ++ uint32_t x1257; ++ fiat_secp384r1_uint1 x1258; ++ uint32_t x1259; ++ fiat_secp384r1_uint1 x1260; ++ uint32_t x1261; ++ fiat_secp384r1_uint1 x1262; ++ uint32_t x1263; ++ fiat_secp384r1_uint1 x1264; ++ uint32_t x1265; ++ uint32_t x1266; ++ fiat_secp384r1_uint1 x1267; ++ uint32_t x1268; ++ fiat_secp384r1_uint1 x1269; ++ uint32_t x1270; ++ fiat_secp384r1_uint1 x1271; ++ uint32_t x1272; ++ fiat_secp384r1_uint1 x1273; ++ uint32_t x1274; ++ fiat_secp384r1_uint1 x1275; ++ uint32_t x1276; ++ fiat_secp384r1_uint1 x1277; ++ uint32_t x1278; ++ fiat_secp384r1_uint1 x1279; ++ uint32_t x1280; ++ fiat_secp384r1_uint1 x1281; ++ uint32_t x1282; ++ fiat_secp384r1_uint1 x1283; ++ uint32_t x1284; ++ fiat_secp384r1_uint1 x1285; ++ uint32_t x1286; ++ fiat_secp384r1_uint1 x1287; ++ uint32_t x1288; ++ fiat_secp384r1_uint1 x1289; ++ uint32_t x1290; ++ fiat_secp384r1_uint1 x1291; ++ uint32_t x1292; ++ uint32_t x1293; ++ uint32_t x1294; ++ uint32_t x1295; ++ uint32_t x1296; ++ uint32_t x1297; ++ uint32_t x1298; ++ uint32_t x1299; ++ uint32_t x1300; ++ uint32_t x1301; ++ uint32_t x1302; ++ uint32_t x1303; ++ uint32_t x1304; ++ uint32_t x1305; ++ uint32_t x1306; ++ uint32_t x1307; ++ uint32_t x1308; ++ uint32_t x1309; ++ uint32_t x1310; ++ uint32_t x1311; ++ uint32_t x1312; ++ fiat_secp384r1_uint1 x1313; ++ uint32_t x1314; ++ fiat_secp384r1_uint1 x1315; ++ uint32_t x1316; ++ fiat_secp384r1_uint1 x1317; ++ uint32_t x1318; ++ fiat_secp384r1_uint1 x1319; ++ uint32_t x1320; ++ fiat_secp384r1_uint1 x1321; ++ uint32_t x1322; ++ fiat_secp384r1_uint1 x1323; ++ uint32_t x1324; ++ fiat_secp384r1_uint1 x1325; ++ uint32_t x1326; ++ fiat_secp384r1_uint1 x1327; ++ uint32_t x1328; ++ uint32_t x1329; ++ fiat_secp384r1_uint1 x1330; ++ uint32_t x1331; ++ fiat_secp384r1_uint1 x1332; ++ uint32_t x1333; ++ fiat_secp384r1_uint1 x1334; ++ uint32_t x1335; ++ fiat_secp384r1_uint1 x1336; ++ uint32_t x1337; ++ fiat_secp384r1_uint1 x1338; ++ uint32_t x1339; ++ fiat_secp384r1_uint1 x1340; ++ uint32_t x1341; ++ fiat_secp384r1_uint1 x1342; ++ uint32_t x1343; ++ fiat_secp384r1_uint1 x1344; ++ uint32_t x1345; ++ fiat_secp384r1_uint1 x1346; ++ uint32_t x1347; ++ fiat_secp384r1_uint1 x1348; ++ uint32_t x1349; ++ fiat_secp384r1_uint1 x1350; ++ uint32_t x1351; ++ fiat_secp384r1_uint1 x1352; ++ uint32_t x1353; ++ fiat_secp384r1_uint1 x1354; ++ uint32_t x1355; ++ uint32_t x1356; ++ uint32_t x1357; ++ uint32_t x1358; ++ uint32_t x1359; ++ uint32_t x1360; ++ uint32_t x1361; ++ uint32_t x1362; ++ uint32_t x1363; ++ uint32_t x1364; ++ uint32_t x1365; ++ uint32_t x1366; ++ uint32_t x1367; ++ uint32_t x1368; ++ uint32_t x1369; ++ uint32_t x1370; ++ uint32_t x1371; ++ uint32_t x1372; ++ uint32_t x1373; ++ uint32_t x1374; ++ uint32_t x1375; ++ uint32_t x1376; ++ uint32_t x1377; ++ uint32_t x1378; ++ uint32_t x1379; ++ uint32_t x1380; ++ fiat_secp384r1_uint1 x1381; ++ uint32_t x1382; ++ fiat_secp384r1_uint1 x1383; ++ uint32_t x1384; ++ fiat_secp384r1_uint1 x1385; ++ uint32_t x1386; ++ fiat_secp384r1_uint1 x1387; ++ uint32_t x1388; ++ fiat_secp384r1_uint1 x1389; ++ uint32_t x1390; ++ fiat_secp384r1_uint1 x1391; ++ uint32_t x1392; ++ fiat_secp384r1_uint1 x1393; ++ uint32_t x1394; ++ fiat_secp384r1_uint1 x1395; ++ uint32_t x1396; ++ fiat_secp384r1_uint1 x1397; ++ uint32_t x1398; ++ fiat_secp384r1_uint1 x1399; ++ uint32_t x1400; ++ fiat_secp384r1_uint1 x1401; ++ uint32_t x1402; ++ uint32_t x1403; ++ fiat_secp384r1_uint1 x1404; ++ uint32_t x1405; ++ fiat_secp384r1_uint1 x1406; ++ uint32_t x1407; ++ fiat_secp384r1_uint1 x1408; ++ uint32_t x1409; ++ fiat_secp384r1_uint1 x1410; ++ uint32_t x1411; ++ fiat_secp384r1_uint1 x1412; ++ uint32_t x1413; ++ fiat_secp384r1_uint1 x1414; ++ uint32_t x1415; ++ fiat_secp384r1_uint1 x1416; ++ uint32_t x1417; ++ fiat_secp384r1_uint1 x1418; ++ uint32_t x1419; ++ fiat_secp384r1_uint1 x1420; ++ uint32_t x1421; ++ fiat_secp384r1_uint1 x1422; ++ uint32_t x1423; ++ fiat_secp384r1_uint1 x1424; ++ uint32_t x1425; ++ fiat_secp384r1_uint1 x1426; ++ uint32_t x1427; ++ fiat_secp384r1_uint1 x1428; ++ uint32_t x1429; ++ uint32_t x1430; ++ uint32_t x1431; ++ uint32_t x1432; ++ uint32_t x1433; ++ uint32_t x1434; ++ uint32_t x1435; ++ uint32_t x1436; ++ uint32_t x1437; ++ uint32_t x1438; ++ uint32_t x1439; ++ uint32_t x1440; ++ uint32_t x1441; ++ uint32_t x1442; ++ uint32_t x1443; ++ uint32_t x1444; ++ uint32_t x1445; ++ uint32_t x1446; ++ uint32_t x1447; ++ uint32_t x1448; ++ uint32_t x1449; ++ fiat_secp384r1_uint1 x1450; ++ uint32_t x1451; ++ fiat_secp384r1_uint1 x1452; ++ uint32_t x1453; ++ fiat_secp384r1_uint1 x1454; ++ uint32_t x1455; ++ fiat_secp384r1_uint1 x1456; ++ uint32_t x1457; ++ fiat_secp384r1_uint1 x1458; ++ uint32_t x1459; ++ fiat_secp384r1_uint1 x1460; ++ uint32_t x1461; ++ fiat_secp384r1_uint1 x1462; ++ uint32_t x1463; ++ fiat_secp384r1_uint1 x1464; ++ uint32_t x1465; ++ uint32_t x1466; ++ fiat_secp384r1_uint1 x1467; ++ uint32_t x1468; ++ fiat_secp384r1_uint1 x1469; ++ uint32_t x1470; ++ fiat_secp384r1_uint1 x1471; ++ uint32_t x1472; ++ fiat_secp384r1_uint1 x1473; ++ uint32_t x1474; ++ fiat_secp384r1_uint1 x1475; ++ uint32_t x1476; ++ fiat_secp384r1_uint1 x1477; ++ uint32_t x1478; ++ fiat_secp384r1_uint1 x1479; ++ uint32_t x1480; ++ fiat_secp384r1_uint1 x1481; ++ uint32_t x1482; ++ fiat_secp384r1_uint1 x1483; ++ uint32_t x1484; ++ fiat_secp384r1_uint1 x1485; ++ uint32_t x1486; ++ fiat_secp384r1_uint1 x1487; ++ uint32_t x1488; ++ fiat_secp384r1_uint1 x1489; ++ uint32_t x1490; ++ fiat_secp384r1_uint1 x1491; ++ uint32_t x1492; ++ uint32_t x1493; ++ uint32_t x1494; ++ uint32_t x1495; ++ uint32_t x1496; ++ uint32_t x1497; ++ uint32_t x1498; ++ uint32_t x1499; ++ uint32_t x1500; ++ uint32_t x1501; ++ uint32_t x1502; ++ uint32_t x1503; ++ uint32_t x1504; ++ uint32_t x1505; ++ uint32_t x1506; ++ uint32_t x1507; ++ uint32_t x1508; ++ uint32_t x1509; ++ uint32_t x1510; ++ uint32_t x1511; ++ uint32_t x1512; ++ uint32_t x1513; ++ uint32_t x1514; ++ uint32_t x1515; ++ uint32_t x1516; ++ uint32_t x1517; ++ fiat_secp384r1_uint1 x1518; ++ uint32_t x1519; ++ fiat_secp384r1_uint1 x1520; ++ uint32_t x1521; ++ fiat_secp384r1_uint1 x1522; ++ uint32_t x1523; ++ fiat_secp384r1_uint1 x1524; ++ uint32_t x1525; ++ fiat_secp384r1_uint1 x1526; ++ uint32_t x1527; ++ fiat_secp384r1_uint1 x1528; ++ uint32_t x1529; ++ fiat_secp384r1_uint1 x1530; ++ uint32_t x1531; ++ fiat_secp384r1_uint1 x1532; ++ uint32_t x1533; ++ fiat_secp384r1_uint1 x1534; ++ uint32_t x1535; ++ fiat_secp384r1_uint1 x1536; ++ uint32_t x1537; ++ fiat_secp384r1_uint1 x1538; ++ uint32_t x1539; ++ uint32_t x1540; ++ fiat_secp384r1_uint1 x1541; ++ uint32_t x1542; ++ fiat_secp384r1_uint1 x1543; ++ uint32_t x1544; ++ fiat_secp384r1_uint1 x1545; ++ uint32_t x1546; ++ fiat_secp384r1_uint1 x1547; ++ uint32_t x1548; ++ fiat_secp384r1_uint1 x1549; ++ uint32_t x1550; ++ fiat_secp384r1_uint1 x1551; ++ uint32_t x1552; ++ fiat_secp384r1_uint1 x1553; ++ uint32_t x1554; ++ fiat_secp384r1_uint1 x1555; ++ uint32_t x1556; ++ fiat_secp384r1_uint1 x1557; ++ uint32_t x1558; ++ fiat_secp384r1_uint1 x1559; ++ uint32_t x1560; ++ fiat_secp384r1_uint1 x1561; ++ uint32_t x1562; ++ fiat_secp384r1_uint1 x1563; ++ uint32_t x1564; ++ fiat_secp384r1_uint1 x1565; ++ uint32_t x1566; ++ uint32_t x1567; ++ uint32_t x1568; ++ uint32_t x1569; ++ uint32_t x1570; ++ uint32_t x1571; ++ uint32_t x1572; ++ uint32_t x1573; ++ uint32_t x1574; ++ uint32_t x1575; ++ uint32_t x1576; ++ uint32_t x1577; ++ uint32_t x1578; ++ uint32_t x1579; ++ uint32_t x1580; ++ uint32_t x1581; ++ uint32_t x1582; ++ uint32_t x1583; ++ uint32_t x1584; ++ uint32_t x1585; ++ uint32_t x1586; ++ fiat_secp384r1_uint1 x1587; ++ uint32_t x1588; ++ fiat_secp384r1_uint1 x1589; ++ uint32_t x1590; ++ fiat_secp384r1_uint1 x1591; ++ uint32_t x1592; ++ fiat_secp384r1_uint1 x1593; ++ uint32_t x1594; ++ fiat_secp384r1_uint1 x1595; ++ uint32_t x1596; ++ fiat_secp384r1_uint1 x1597; ++ uint32_t x1598; ++ fiat_secp384r1_uint1 x1599; ++ uint32_t x1600; ++ fiat_secp384r1_uint1 x1601; ++ uint32_t x1602; ++ uint32_t x1603; ++ fiat_secp384r1_uint1 x1604; ++ uint32_t x1605; ++ fiat_secp384r1_uint1 x1606; ++ uint32_t x1607; ++ fiat_secp384r1_uint1 x1608; ++ uint32_t x1609; ++ fiat_secp384r1_uint1 x1610; ++ uint32_t x1611; ++ fiat_secp384r1_uint1 x1612; ++ uint32_t x1613; ++ fiat_secp384r1_uint1 x1614; ++ uint32_t x1615; ++ fiat_secp384r1_uint1 x1616; ++ uint32_t x1617; ++ fiat_secp384r1_uint1 x1618; ++ uint32_t x1619; ++ fiat_secp384r1_uint1 x1620; ++ uint32_t x1621; ++ fiat_secp384r1_uint1 x1622; ++ uint32_t x1623; ++ fiat_secp384r1_uint1 x1624; ++ uint32_t x1625; ++ fiat_secp384r1_uint1 x1626; ++ uint32_t x1627; ++ fiat_secp384r1_uint1 x1628; ++ uint32_t x1629; ++ uint32_t x1630; ++ fiat_secp384r1_uint1 x1631; ++ uint32_t x1632; ++ fiat_secp384r1_uint1 x1633; ++ uint32_t x1634; ++ fiat_secp384r1_uint1 x1635; ++ uint32_t x1636; ++ fiat_secp384r1_uint1 x1637; ++ uint32_t x1638; ++ fiat_secp384r1_uint1 x1639; ++ uint32_t x1640; ++ fiat_secp384r1_uint1 x1641; ++ uint32_t x1642; ++ fiat_secp384r1_uint1 x1643; ++ uint32_t x1644; ++ fiat_secp384r1_uint1 x1645; ++ uint32_t x1646; ++ fiat_secp384r1_uint1 x1647; ++ uint32_t x1648; ++ fiat_secp384r1_uint1 x1649; ++ uint32_t x1650; ++ fiat_secp384r1_uint1 x1651; ++ uint32_t x1652; ++ fiat_secp384r1_uint1 x1653; ++ uint32_t x1654; ++ fiat_secp384r1_uint1 x1655; ++ uint32_t x1656; ++ uint32_t x1657; ++ uint32_t x1658; ++ uint32_t x1659; ++ uint32_t x1660; ++ uint32_t x1661; ++ uint32_t x1662; ++ uint32_t x1663; ++ uint32_t x1664; ++ uint32_t x1665; ++ uint32_t x1666; ++ uint32_t x1667; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[6]); ++ x7 = (arg1[7]); ++ x8 = (arg1[8]); ++ x9 = (arg1[9]); ++ x10 = (arg1[10]); ++ x11 = (arg1[11]); ++ x12 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); ++ fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); ++ fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); ++ fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); ++ fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); ++ fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); ++ fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); ++ fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); ++ fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); ++ fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); ++ fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); ++ x59 = (x58 + x14); ++ fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); ++ fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); ++ fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); ++ fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); ++ fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); ++ fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); ++ fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); ++ fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); ++ x96 = (x95 + x61); ++ fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); ++ fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); ++ fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); ++ fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); ++ fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); ++ fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); ++ fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); ++ fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); ++ fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); ++ fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); ++ fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); ++ fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); ++ fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); ++ fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); ++ fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); ++ fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); ++ fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); ++ fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); ++ fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); ++ fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); ++ fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); ++ fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); ++ fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); ++ x169 = (x168 + x124); ++ fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); ++ fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); ++ fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); ++ fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); ++ fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); ++ fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); ++ fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); ++ fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); ++ fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); ++ fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); ++ fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); ++ fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); ++ fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); ++ fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); ++ fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); ++ fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); ++ fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); ++ fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); ++ fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); ++ fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); ++ fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); ++ x232 = (x231 + x197); ++ fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); ++ fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); ++ fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); ++ fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); ++ fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); ++ fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); ++ fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); ++ fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); ++ fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); ++ fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); ++ fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); ++ fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); ++ x259 = ((uint32_t)x258 + x195); ++ fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); ++ fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); ++ fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); ++ fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); ++ fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); ++ fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); ++ fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); ++ fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); ++ fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); ++ fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); ++ fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); ++ x306 = (x305 + x261); ++ fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); ++ fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); ++ fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); ++ fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); ++ fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); ++ fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); ++ fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); ++ fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); ++ fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); ++ fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); ++ fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); ++ fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); ++ fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); ++ fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); ++ fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); ++ fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); ++ fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); ++ fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); ++ fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); ++ fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); ++ x369 = (x368 + x334); ++ fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); ++ fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); ++ fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); ++ fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); ++ fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); ++ fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); ++ fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); ++ fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); ++ fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); ++ fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); ++ fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); ++ fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); ++ x396 = ((uint32_t)x395 + x332); ++ fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); ++ fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); ++ fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); ++ fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); ++ fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); ++ fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); ++ fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); ++ fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); ++ fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); ++ fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); ++ fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); ++ x443 = (x442 + x398); ++ fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); ++ fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); ++ fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); ++ fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); ++ fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); ++ fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); ++ fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); ++ fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); ++ fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); ++ fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); ++ fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); ++ fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); ++ fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); ++ fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); ++ fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); ++ fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); ++ fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); ++ fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); ++ fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); ++ fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); ++ fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); ++ x506 = (x505 + x471); ++ fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); ++ fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); ++ fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); ++ fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); ++ fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); ++ fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); ++ fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); ++ fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); ++ fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); ++ fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); ++ fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); ++ fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); ++ x533 = ((uint32_t)x532 + x469); ++ fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); ++ fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); ++ fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); ++ fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); ++ fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); ++ fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); ++ fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); ++ fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); ++ fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); ++ fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); ++ fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); ++ x580 = (x579 + x535); ++ fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); ++ fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); ++ fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); ++ fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); ++ fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); ++ fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); ++ fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); ++ fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); ++ fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); ++ fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); ++ fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); ++ fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); ++ fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); ++ fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); ++ fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); ++ fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); ++ fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); ++ fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); ++ fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); ++ fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); ++ fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); ++ x643 = (x642 + x608); ++ fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); ++ fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); ++ fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); ++ fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); ++ fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); ++ fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); ++ fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); ++ fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); ++ fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); ++ fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); ++ fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); ++ fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); ++ x670 = ((uint32_t)x669 + x606); ++ fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); ++ fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); ++ fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); ++ fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); ++ fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); ++ fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); ++ fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); ++ fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); ++ fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); ++ fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); ++ fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); ++ x717 = (x716 + x672); ++ fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); ++ fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); ++ fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); ++ fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); ++ fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); ++ fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); ++ fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); ++ fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); ++ fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); ++ fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); ++ fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); ++ fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); ++ fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); ++ fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); ++ fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); ++ fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); ++ fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); ++ fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); ++ fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); ++ fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); ++ fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); ++ x780 = (x779 + x745); ++ fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); ++ fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); ++ fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); ++ fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); ++ fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); ++ fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); ++ fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); ++ fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); ++ fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); ++ fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); ++ fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); ++ fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); ++ x807 = ((uint32_t)x806 + x743); ++ fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); ++ fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); ++ fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); ++ fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); ++ fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); ++ fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); ++ fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); ++ fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); ++ fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); ++ fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); ++ fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); ++ x854 = (x853 + x809); ++ fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); ++ fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); ++ fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); ++ fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); ++ fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); ++ fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); ++ fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); ++ fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); ++ fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); ++ fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); ++ fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); ++ fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); ++ fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); ++ fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); ++ fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); ++ fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); ++ fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); ++ fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); ++ fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); ++ fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); ++ fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); ++ x917 = (x916 + x882); ++ fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); ++ fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); ++ fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); ++ fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); ++ fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); ++ fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); ++ fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); ++ fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); ++ fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); ++ fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); ++ fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); ++ fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); ++ x944 = ((uint32_t)x943 + x880); ++ fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); ++ fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); ++ fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); ++ fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); ++ fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); ++ fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); ++ fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); ++ fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); ++ fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); ++ fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); ++ fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); ++ x991 = (x990 + x946); ++ fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); ++ fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); ++ fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); ++ fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); ++ fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); ++ fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); ++ fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); ++ fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); ++ fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); ++ fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); ++ fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); ++ fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); ++ fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); ++ fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); ++ fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); ++ fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); ++ fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); ++ fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); ++ fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); ++ fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); ++ fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); ++ x1054 = (x1053 + x1019); ++ fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); ++ fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); ++ fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); ++ fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); ++ fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); ++ fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); ++ fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); ++ fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); ++ fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); ++ fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); ++ fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); ++ fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); ++ x1081 = ((uint32_t)x1080 + x1017); ++ fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); ++ fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); ++ fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); ++ fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); ++ fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); ++ fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); ++ fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); ++ fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); ++ fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); ++ fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); ++ fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); ++ x1128 = (x1127 + x1083); ++ fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); ++ fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); ++ fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); ++ fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); ++ fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); ++ fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); ++ fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); ++ fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); ++ fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); ++ fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); ++ fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); ++ fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); ++ fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); ++ fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); ++ fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); ++ fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); ++ fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); ++ fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); ++ fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); ++ fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); ++ fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); ++ x1191 = (x1190 + x1156); ++ fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); ++ fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); ++ fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); ++ fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); ++ fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); ++ fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); ++ fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); ++ fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); ++ fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); ++ fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); ++ fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); ++ fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); ++ x1218 = ((uint32_t)x1217 + x1154); ++ fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); ++ fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); ++ fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); ++ fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); ++ fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); ++ fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); ++ fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); ++ fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); ++ fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); ++ fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); ++ fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); ++ x1265 = (x1264 + x1220); ++ fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); ++ fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); ++ fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); ++ fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); ++ fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); ++ fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); ++ fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); ++ fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); ++ fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); ++ fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); ++ fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); ++ fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); ++ fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); ++ fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); ++ fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); ++ fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); ++ fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); ++ fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); ++ fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); ++ fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); ++ fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); ++ x1328 = (x1327 + x1293); ++ fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); ++ fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); ++ fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); ++ fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); ++ fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); ++ fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); ++ fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); ++ fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); ++ fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); ++ fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); ++ fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); ++ fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); ++ x1355 = ((uint32_t)x1354 + x1291); ++ fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); ++ fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); ++ fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); ++ fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); ++ fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); ++ fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); ++ fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); ++ fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); ++ fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); ++ fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); ++ fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); ++ x1402 = (x1401 + x1357); ++ fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); ++ fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); ++ fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); ++ fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); ++ fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); ++ fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); ++ fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); ++ fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); ++ fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); ++ fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); ++ fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); ++ fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); ++ fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); ++ fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); ++ fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); ++ fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); ++ fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); ++ fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); ++ fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); ++ fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); ++ fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); ++ x1465 = (x1464 + x1430); ++ fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); ++ fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); ++ fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); ++ fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); ++ fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); ++ fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); ++ fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); ++ fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); ++ fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); ++ fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); ++ fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); ++ fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); ++ x1492 = ((uint32_t)x1491 + x1428); ++ fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); ++ fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); ++ fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); ++ fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); ++ fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); ++ fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); ++ fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); ++ fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); ++ fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); ++ fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); ++ fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); ++ x1539 = (x1538 + x1494); ++ fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); ++ fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); ++ fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); ++ fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); ++ fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); ++ fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); ++ fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); ++ fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); ++ fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); ++ fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); ++ fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); ++ fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); ++ fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); ++ fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); ++ fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); ++ fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); ++ fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); ++ fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); ++ fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); ++ fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); ++ fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); ++ x1602 = (x1601 + x1567); ++ fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); ++ fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); ++ fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); ++ fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); ++ fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); ++ fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); ++ fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); ++ fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); ++ fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); ++ fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); ++ fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); ++ fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); ++ x1629 = ((uint32_t)x1628 + x1565); ++ fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); ++ fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); ++ fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); ++ fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); ++ fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); ++ fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); ++ fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); ++ fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); ++ fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); ++ fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); ++ fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); ++ fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); ++ out1[0] = x1656; ++ out1[1] = x1657; ++ out1[2] = x1658; ++ out1[3] = x1659; ++ out1[4] = x1660; ++ out1[5] = x1661; ++ out1[6] = x1662; ++ out1[7] = x1663; ++ out1[8] = x1664; ++ out1[9] = x1665; ++ out1[10] = x1666; ++ out1[11] = x1667; ++} ++ ++/* ++ * The function fiat_secp384r1_square squares a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_square(uint32_t out1[12], const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ uint32_t x23; ++ uint32_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint32_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint32_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint32_t x36; ++ uint32_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint32_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint32_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint32_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint32_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint32_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ uint32_t x63; ++ uint32_t x64; ++ uint32_t x65; ++ uint32_t x66; ++ uint32_t x67; ++ uint32_t x68; ++ uint32_t x69; ++ uint32_t x70; ++ uint32_t x71; ++ uint32_t x72; ++ uint32_t x73; ++ uint32_t x74; ++ uint32_t x75; ++ uint32_t x76; ++ uint32_t x77; ++ uint32_t x78; ++ uint32_t x79; ++ uint32_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint32_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint32_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint32_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint32_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint32_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint32_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint32_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint32_t x96; ++ uint32_t x97; ++ fiat_secp384r1_uint1 x98; ++ uint32_t x99; ++ fiat_secp384r1_uint1 x100; ++ uint32_t x101; ++ fiat_secp384r1_uint1 x102; ++ uint32_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint32_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint32_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint32_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint32_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint32_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint32_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint32_t x117; ++ fiat_secp384r1_uint1 x118; ++ uint32_t x119; ++ fiat_secp384r1_uint1 x120; ++ uint32_t x121; ++ fiat_secp384r1_uint1 x122; ++ uint32_t x123; ++ uint32_t x124; ++ uint32_t x125; ++ uint32_t x126; ++ uint32_t x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ uint32_t x138; ++ uint32_t x139; ++ uint32_t x140; ++ uint32_t x141; ++ uint32_t x142; ++ uint32_t x143; ++ uint32_t x144; ++ uint32_t x145; ++ uint32_t x146; ++ uint32_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint32_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint32_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint32_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint32_t x155; ++ fiat_secp384r1_uint1 x156; ++ uint32_t x157; ++ fiat_secp384r1_uint1 x158; ++ uint32_t x159; ++ fiat_secp384r1_uint1 x160; ++ uint32_t x161; ++ fiat_secp384r1_uint1 x162; ++ uint32_t x163; ++ fiat_secp384r1_uint1 x164; ++ uint32_t x165; ++ fiat_secp384r1_uint1 x166; ++ uint32_t x167; ++ fiat_secp384r1_uint1 x168; ++ uint32_t x169; ++ uint32_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint32_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint32_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint32_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint32_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint32_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint32_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint32_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint32_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint32_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint32_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint32_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint32_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint32_t x196; ++ uint32_t x197; ++ uint32_t x198; ++ uint32_t x199; ++ uint32_t x200; ++ uint32_t x201; ++ uint32_t x202; ++ uint32_t x203; ++ uint32_t x204; ++ uint32_t x205; ++ uint32_t x206; ++ uint32_t x207; ++ uint32_t x208; ++ uint32_t x209; ++ uint32_t x210; ++ uint32_t x211; ++ uint32_t x212; ++ uint32_t x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint32_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint32_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint32_t x222; ++ fiat_secp384r1_uint1 x223; ++ uint32_t x224; ++ fiat_secp384r1_uint1 x225; ++ uint32_t x226; ++ fiat_secp384r1_uint1 x227; ++ uint32_t x228; ++ fiat_secp384r1_uint1 x229; ++ uint32_t x230; ++ fiat_secp384r1_uint1 x231; ++ uint32_t x232; ++ uint32_t x233; ++ fiat_secp384r1_uint1 x234; ++ uint32_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint32_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint32_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint32_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint32_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint32_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint32_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint32_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint32_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint32_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint32_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint32_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint32_t x259; ++ uint32_t x260; ++ uint32_t x261; ++ uint32_t x262; ++ uint32_t x263; ++ uint32_t x264; ++ uint32_t x265; ++ uint32_t x266; ++ uint32_t x267; ++ uint32_t x268; ++ uint32_t x269; ++ uint32_t x270; ++ uint32_t x271; ++ uint32_t x272; ++ uint32_t x273; ++ uint32_t x274; ++ uint32_t x275; ++ uint32_t x276; ++ uint32_t x277; ++ uint32_t x278; ++ uint32_t x279; ++ uint32_t x280; ++ uint32_t x281; ++ uint32_t x282; ++ uint32_t x283; ++ uint32_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint32_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint32_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint32_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint32_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint32_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint32_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint32_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint32_t x300; ++ fiat_secp384r1_uint1 x301; ++ uint32_t x302; ++ fiat_secp384r1_uint1 x303; ++ uint32_t x304; ++ fiat_secp384r1_uint1 x305; ++ uint32_t x306; ++ uint32_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint32_t x309; ++ fiat_secp384r1_uint1 x310; ++ uint32_t x311; ++ fiat_secp384r1_uint1 x312; ++ uint32_t x313; ++ fiat_secp384r1_uint1 x314; ++ uint32_t x315; ++ fiat_secp384r1_uint1 x316; ++ uint32_t x317; ++ fiat_secp384r1_uint1 x318; ++ uint32_t x319; ++ fiat_secp384r1_uint1 x320; ++ uint32_t x321; ++ fiat_secp384r1_uint1 x322; ++ uint32_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint32_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint32_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint32_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint32_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint32_t x333; ++ uint32_t x334; ++ uint32_t x335; ++ uint32_t x336; ++ uint32_t x337; ++ uint32_t x338; ++ uint32_t x339; ++ uint32_t x340; ++ uint32_t x341; ++ uint32_t x342; ++ uint32_t x343; ++ uint32_t x344; ++ uint32_t x345; ++ uint32_t x346; ++ uint32_t x347; ++ uint32_t x348; ++ uint32_t x349; ++ uint32_t x350; ++ uint32_t x351; ++ uint32_t x352; ++ uint32_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint32_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint32_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint32_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint32_t x361; ++ fiat_secp384r1_uint1 x362; ++ uint32_t x363; ++ fiat_secp384r1_uint1 x364; ++ uint32_t x365; ++ fiat_secp384r1_uint1 x366; ++ uint32_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint32_t x369; ++ uint32_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint32_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint32_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint32_t x376; ++ fiat_secp384r1_uint1 x377; ++ uint32_t x378; ++ fiat_secp384r1_uint1 x379; ++ uint32_t x380; ++ fiat_secp384r1_uint1 x381; ++ uint32_t x382; ++ fiat_secp384r1_uint1 x383; ++ uint32_t x384; ++ fiat_secp384r1_uint1 x385; ++ uint32_t x386; ++ fiat_secp384r1_uint1 x387; ++ uint32_t x388; ++ fiat_secp384r1_uint1 x389; ++ uint32_t x390; ++ fiat_secp384r1_uint1 x391; ++ uint32_t x392; ++ fiat_secp384r1_uint1 x393; ++ uint32_t x394; ++ fiat_secp384r1_uint1 x395; ++ uint32_t x396; ++ uint32_t x397; ++ uint32_t x398; ++ uint32_t x399; ++ uint32_t x400; ++ uint32_t x401; ++ uint32_t x402; ++ uint32_t x403; ++ uint32_t x404; ++ uint32_t x405; ++ uint32_t x406; ++ uint32_t x407; ++ uint32_t x408; ++ uint32_t x409; ++ uint32_t x410; ++ uint32_t x411; ++ uint32_t x412; ++ uint32_t x413; ++ uint32_t x414; ++ uint32_t x415; ++ uint32_t x416; ++ uint32_t x417; ++ uint32_t x418; ++ uint32_t x419; ++ uint32_t x420; ++ uint32_t x421; ++ fiat_secp384r1_uint1 x422; ++ uint32_t x423; ++ fiat_secp384r1_uint1 x424; ++ uint32_t x425; ++ fiat_secp384r1_uint1 x426; ++ uint32_t x427; ++ fiat_secp384r1_uint1 x428; ++ uint32_t x429; ++ fiat_secp384r1_uint1 x430; ++ uint32_t x431; ++ fiat_secp384r1_uint1 x432; ++ uint32_t x433; ++ fiat_secp384r1_uint1 x434; ++ uint32_t x435; ++ fiat_secp384r1_uint1 x436; ++ uint32_t x437; ++ fiat_secp384r1_uint1 x438; ++ uint32_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint32_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint32_t x443; ++ uint32_t x444; ++ fiat_secp384r1_uint1 x445; ++ uint32_t x446; ++ fiat_secp384r1_uint1 x447; ++ uint32_t x448; ++ fiat_secp384r1_uint1 x449; ++ uint32_t x450; ++ fiat_secp384r1_uint1 x451; ++ uint32_t x452; ++ fiat_secp384r1_uint1 x453; ++ uint32_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint32_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint32_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint32_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint32_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint32_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint32_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint32_t x468; ++ fiat_secp384r1_uint1 x469; ++ uint32_t x470; ++ uint32_t x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ uint32_t x476; ++ uint32_t x477; ++ uint32_t x478; ++ uint32_t x479; ++ uint32_t x480; ++ uint32_t x481; ++ uint32_t x482; ++ uint32_t x483; ++ uint32_t x484; ++ uint32_t x485; ++ uint32_t x486; ++ uint32_t x487; ++ uint32_t x488; ++ uint32_t x489; ++ uint32_t x490; ++ fiat_secp384r1_uint1 x491; ++ uint32_t x492; ++ fiat_secp384r1_uint1 x493; ++ uint32_t x494; ++ fiat_secp384r1_uint1 x495; ++ uint32_t x496; ++ fiat_secp384r1_uint1 x497; ++ uint32_t x498; ++ fiat_secp384r1_uint1 x499; ++ uint32_t x500; ++ fiat_secp384r1_uint1 x501; ++ uint32_t x502; ++ fiat_secp384r1_uint1 x503; ++ uint32_t x504; ++ fiat_secp384r1_uint1 x505; ++ uint32_t x506; ++ uint32_t x507; ++ fiat_secp384r1_uint1 x508; ++ uint32_t x509; ++ fiat_secp384r1_uint1 x510; ++ uint32_t x511; ++ fiat_secp384r1_uint1 x512; ++ uint32_t x513; ++ fiat_secp384r1_uint1 x514; ++ uint32_t x515; ++ fiat_secp384r1_uint1 x516; ++ uint32_t x517; ++ fiat_secp384r1_uint1 x518; ++ uint32_t x519; ++ fiat_secp384r1_uint1 x520; ++ uint32_t x521; ++ fiat_secp384r1_uint1 x522; ++ uint32_t x523; ++ fiat_secp384r1_uint1 x524; ++ uint32_t x525; ++ fiat_secp384r1_uint1 x526; ++ uint32_t x527; ++ fiat_secp384r1_uint1 x528; ++ uint32_t x529; ++ fiat_secp384r1_uint1 x530; ++ uint32_t x531; ++ fiat_secp384r1_uint1 x532; ++ uint32_t x533; ++ uint32_t x534; ++ uint32_t x535; ++ uint32_t x536; ++ uint32_t x537; ++ uint32_t x538; ++ uint32_t x539; ++ uint32_t x540; ++ uint32_t x541; ++ uint32_t x542; ++ uint32_t x543; ++ uint32_t x544; ++ uint32_t x545; ++ uint32_t x546; ++ uint32_t x547; ++ uint32_t x548; ++ uint32_t x549; ++ uint32_t x550; ++ uint32_t x551; ++ uint32_t x552; ++ uint32_t x553; ++ uint32_t x554; ++ uint32_t x555; ++ uint32_t x556; ++ uint32_t x557; ++ uint32_t x558; ++ fiat_secp384r1_uint1 x559; ++ uint32_t x560; ++ fiat_secp384r1_uint1 x561; ++ uint32_t x562; ++ fiat_secp384r1_uint1 x563; ++ uint32_t x564; ++ fiat_secp384r1_uint1 x565; ++ uint32_t x566; ++ fiat_secp384r1_uint1 x567; ++ uint32_t x568; ++ fiat_secp384r1_uint1 x569; ++ uint32_t x570; ++ fiat_secp384r1_uint1 x571; ++ uint32_t x572; ++ fiat_secp384r1_uint1 x573; ++ uint32_t x574; ++ fiat_secp384r1_uint1 x575; ++ uint32_t x576; ++ fiat_secp384r1_uint1 x577; ++ uint32_t x578; ++ fiat_secp384r1_uint1 x579; ++ uint32_t x580; ++ uint32_t x581; ++ fiat_secp384r1_uint1 x582; ++ uint32_t x583; ++ fiat_secp384r1_uint1 x584; ++ uint32_t x585; ++ fiat_secp384r1_uint1 x586; ++ uint32_t x587; ++ fiat_secp384r1_uint1 x588; ++ uint32_t x589; ++ fiat_secp384r1_uint1 x590; ++ uint32_t x591; ++ fiat_secp384r1_uint1 x592; ++ uint32_t x593; ++ fiat_secp384r1_uint1 x594; ++ uint32_t x595; ++ fiat_secp384r1_uint1 x596; ++ uint32_t x597; ++ fiat_secp384r1_uint1 x598; ++ uint32_t x599; ++ fiat_secp384r1_uint1 x600; ++ uint32_t x601; ++ fiat_secp384r1_uint1 x602; ++ uint32_t x603; ++ fiat_secp384r1_uint1 x604; ++ uint32_t x605; ++ fiat_secp384r1_uint1 x606; ++ uint32_t x607; ++ uint32_t x608; ++ uint32_t x609; ++ uint32_t x610; ++ uint32_t x611; ++ uint32_t x612; ++ uint32_t x613; ++ uint32_t x614; ++ uint32_t x615; ++ uint32_t x616; ++ uint32_t x617; ++ uint32_t x618; ++ uint32_t x619; ++ uint32_t x620; ++ uint32_t x621; ++ uint32_t x622; ++ uint32_t x623; ++ uint32_t x624; ++ uint32_t x625; ++ uint32_t x626; ++ uint32_t x627; ++ fiat_secp384r1_uint1 x628; ++ uint32_t x629; ++ fiat_secp384r1_uint1 x630; ++ uint32_t x631; ++ fiat_secp384r1_uint1 x632; ++ uint32_t x633; ++ fiat_secp384r1_uint1 x634; ++ uint32_t x635; ++ fiat_secp384r1_uint1 x636; ++ uint32_t x637; ++ fiat_secp384r1_uint1 x638; ++ uint32_t x639; ++ fiat_secp384r1_uint1 x640; ++ uint32_t x641; ++ fiat_secp384r1_uint1 x642; ++ uint32_t x643; ++ uint32_t x644; ++ fiat_secp384r1_uint1 x645; ++ uint32_t x646; ++ fiat_secp384r1_uint1 x647; ++ uint32_t x648; ++ fiat_secp384r1_uint1 x649; ++ uint32_t x650; ++ fiat_secp384r1_uint1 x651; ++ uint32_t x652; ++ fiat_secp384r1_uint1 x653; ++ uint32_t x654; ++ fiat_secp384r1_uint1 x655; ++ uint32_t x656; ++ fiat_secp384r1_uint1 x657; ++ uint32_t x658; ++ fiat_secp384r1_uint1 x659; ++ uint32_t x660; ++ fiat_secp384r1_uint1 x661; ++ uint32_t x662; ++ fiat_secp384r1_uint1 x663; ++ uint32_t x664; ++ fiat_secp384r1_uint1 x665; ++ uint32_t x666; ++ fiat_secp384r1_uint1 x667; ++ uint32_t x668; ++ fiat_secp384r1_uint1 x669; ++ uint32_t x670; ++ uint32_t x671; ++ uint32_t x672; ++ uint32_t x673; ++ uint32_t x674; ++ uint32_t x675; ++ uint32_t x676; ++ uint32_t x677; ++ uint32_t x678; ++ uint32_t x679; ++ uint32_t x680; ++ uint32_t x681; ++ uint32_t x682; ++ uint32_t x683; ++ uint32_t x684; ++ uint32_t x685; ++ uint32_t x686; ++ uint32_t x687; ++ uint32_t x688; ++ uint32_t x689; ++ uint32_t x690; ++ uint32_t x691; ++ uint32_t x692; ++ uint32_t x693; ++ uint32_t x694; ++ uint32_t x695; ++ fiat_secp384r1_uint1 x696; ++ uint32_t x697; ++ fiat_secp384r1_uint1 x698; ++ uint32_t x699; ++ fiat_secp384r1_uint1 x700; ++ uint32_t x701; ++ fiat_secp384r1_uint1 x702; ++ uint32_t x703; ++ fiat_secp384r1_uint1 x704; ++ uint32_t x705; ++ fiat_secp384r1_uint1 x706; ++ uint32_t x707; ++ fiat_secp384r1_uint1 x708; ++ uint32_t x709; ++ fiat_secp384r1_uint1 x710; ++ uint32_t x711; ++ fiat_secp384r1_uint1 x712; ++ uint32_t x713; ++ fiat_secp384r1_uint1 x714; ++ uint32_t x715; ++ fiat_secp384r1_uint1 x716; ++ uint32_t x717; ++ uint32_t x718; ++ fiat_secp384r1_uint1 x719; ++ uint32_t x720; ++ fiat_secp384r1_uint1 x721; ++ uint32_t x722; ++ fiat_secp384r1_uint1 x723; ++ uint32_t x724; ++ fiat_secp384r1_uint1 x725; ++ uint32_t x726; ++ fiat_secp384r1_uint1 x727; ++ uint32_t x728; ++ fiat_secp384r1_uint1 x729; ++ uint32_t x730; ++ fiat_secp384r1_uint1 x731; ++ uint32_t x732; ++ fiat_secp384r1_uint1 x733; ++ uint32_t x734; ++ fiat_secp384r1_uint1 x735; ++ uint32_t x736; ++ fiat_secp384r1_uint1 x737; ++ uint32_t x738; ++ fiat_secp384r1_uint1 x739; ++ uint32_t x740; ++ fiat_secp384r1_uint1 x741; ++ uint32_t x742; ++ fiat_secp384r1_uint1 x743; ++ uint32_t x744; ++ uint32_t x745; ++ uint32_t x746; ++ uint32_t x747; ++ uint32_t x748; ++ uint32_t x749; ++ uint32_t x750; ++ uint32_t x751; ++ uint32_t x752; ++ uint32_t x753; ++ uint32_t x754; ++ uint32_t x755; ++ uint32_t x756; ++ uint32_t x757; ++ uint32_t x758; ++ uint32_t x759; ++ uint32_t x760; ++ uint32_t x761; ++ uint32_t x762; ++ uint32_t x763; ++ uint32_t x764; ++ fiat_secp384r1_uint1 x765; ++ uint32_t x766; ++ fiat_secp384r1_uint1 x767; ++ uint32_t x768; ++ fiat_secp384r1_uint1 x769; ++ uint32_t x770; ++ fiat_secp384r1_uint1 x771; ++ uint32_t x772; ++ fiat_secp384r1_uint1 x773; ++ uint32_t x774; ++ fiat_secp384r1_uint1 x775; ++ uint32_t x776; ++ fiat_secp384r1_uint1 x777; ++ uint32_t x778; ++ fiat_secp384r1_uint1 x779; ++ uint32_t x780; ++ uint32_t x781; ++ fiat_secp384r1_uint1 x782; ++ uint32_t x783; ++ fiat_secp384r1_uint1 x784; ++ uint32_t x785; ++ fiat_secp384r1_uint1 x786; ++ uint32_t x787; ++ fiat_secp384r1_uint1 x788; ++ uint32_t x789; ++ fiat_secp384r1_uint1 x790; ++ uint32_t x791; ++ fiat_secp384r1_uint1 x792; ++ uint32_t x793; ++ fiat_secp384r1_uint1 x794; ++ uint32_t x795; ++ fiat_secp384r1_uint1 x796; ++ uint32_t x797; ++ fiat_secp384r1_uint1 x798; ++ uint32_t x799; ++ fiat_secp384r1_uint1 x800; ++ uint32_t x801; ++ fiat_secp384r1_uint1 x802; ++ uint32_t x803; ++ fiat_secp384r1_uint1 x804; ++ uint32_t x805; ++ fiat_secp384r1_uint1 x806; ++ uint32_t x807; ++ uint32_t x808; ++ uint32_t x809; ++ uint32_t x810; ++ uint32_t x811; ++ uint32_t x812; ++ uint32_t x813; ++ uint32_t x814; ++ uint32_t x815; ++ uint32_t x816; ++ uint32_t x817; ++ uint32_t x818; ++ uint32_t x819; ++ uint32_t x820; ++ uint32_t x821; ++ uint32_t x822; ++ uint32_t x823; ++ uint32_t x824; ++ uint32_t x825; ++ uint32_t x826; ++ uint32_t x827; ++ uint32_t x828; ++ uint32_t x829; ++ uint32_t x830; ++ uint32_t x831; ++ uint32_t x832; ++ fiat_secp384r1_uint1 x833; ++ uint32_t x834; ++ fiat_secp384r1_uint1 x835; ++ uint32_t x836; ++ fiat_secp384r1_uint1 x837; ++ uint32_t x838; ++ fiat_secp384r1_uint1 x839; ++ uint32_t x840; ++ fiat_secp384r1_uint1 x841; ++ uint32_t x842; ++ fiat_secp384r1_uint1 x843; ++ uint32_t x844; ++ fiat_secp384r1_uint1 x845; ++ uint32_t x846; ++ fiat_secp384r1_uint1 x847; ++ uint32_t x848; ++ fiat_secp384r1_uint1 x849; ++ uint32_t x850; ++ fiat_secp384r1_uint1 x851; ++ uint32_t x852; ++ fiat_secp384r1_uint1 x853; ++ uint32_t x854; ++ uint32_t x855; ++ fiat_secp384r1_uint1 x856; ++ uint32_t x857; ++ fiat_secp384r1_uint1 x858; ++ uint32_t x859; ++ fiat_secp384r1_uint1 x860; ++ uint32_t x861; ++ fiat_secp384r1_uint1 x862; ++ uint32_t x863; ++ fiat_secp384r1_uint1 x864; ++ uint32_t x865; ++ fiat_secp384r1_uint1 x866; ++ uint32_t x867; ++ fiat_secp384r1_uint1 x868; ++ uint32_t x869; ++ fiat_secp384r1_uint1 x870; ++ uint32_t x871; ++ fiat_secp384r1_uint1 x872; ++ uint32_t x873; ++ fiat_secp384r1_uint1 x874; ++ uint32_t x875; ++ fiat_secp384r1_uint1 x876; ++ uint32_t x877; ++ fiat_secp384r1_uint1 x878; ++ uint32_t x879; ++ fiat_secp384r1_uint1 x880; ++ uint32_t x881; ++ uint32_t x882; ++ uint32_t x883; ++ uint32_t x884; ++ uint32_t x885; ++ uint32_t x886; ++ uint32_t x887; ++ uint32_t x888; ++ uint32_t x889; ++ uint32_t x890; ++ uint32_t x891; ++ uint32_t x892; ++ uint32_t x893; ++ uint32_t x894; ++ uint32_t x895; ++ uint32_t x896; ++ uint32_t x897; ++ uint32_t x898; ++ uint32_t x899; ++ uint32_t x900; ++ uint32_t x901; ++ fiat_secp384r1_uint1 x902; ++ uint32_t x903; ++ fiat_secp384r1_uint1 x904; ++ uint32_t x905; ++ fiat_secp384r1_uint1 x906; ++ uint32_t x907; ++ fiat_secp384r1_uint1 x908; ++ uint32_t x909; ++ fiat_secp384r1_uint1 x910; ++ uint32_t x911; ++ fiat_secp384r1_uint1 x912; ++ uint32_t x913; ++ fiat_secp384r1_uint1 x914; ++ uint32_t x915; ++ fiat_secp384r1_uint1 x916; ++ uint32_t x917; ++ uint32_t x918; ++ fiat_secp384r1_uint1 x919; ++ uint32_t x920; ++ fiat_secp384r1_uint1 x921; ++ uint32_t x922; ++ fiat_secp384r1_uint1 x923; ++ uint32_t x924; ++ fiat_secp384r1_uint1 x925; ++ uint32_t x926; ++ fiat_secp384r1_uint1 x927; ++ uint32_t x928; ++ fiat_secp384r1_uint1 x929; ++ uint32_t x930; ++ fiat_secp384r1_uint1 x931; ++ uint32_t x932; ++ fiat_secp384r1_uint1 x933; ++ uint32_t x934; ++ fiat_secp384r1_uint1 x935; ++ uint32_t x936; ++ fiat_secp384r1_uint1 x937; ++ uint32_t x938; ++ fiat_secp384r1_uint1 x939; ++ uint32_t x940; ++ fiat_secp384r1_uint1 x941; ++ uint32_t x942; ++ fiat_secp384r1_uint1 x943; ++ uint32_t x944; ++ uint32_t x945; ++ uint32_t x946; ++ uint32_t x947; ++ uint32_t x948; ++ uint32_t x949; ++ uint32_t x950; ++ uint32_t x951; ++ uint32_t x952; ++ uint32_t x953; ++ uint32_t x954; ++ uint32_t x955; ++ uint32_t x956; ++ uint32_t x957; ++ uint32_t x958; ++ uint32_t x959; ++ uint32_t x960; ++ uint32_t x961; ++ uint32_t x962; ++ uint32_t x963; ++ uint32_t x964; ++ uint32_t x965; ++ uint32_t x966; ++ uint32_t x967; ++ uint32_t x968; ++ uint32_t x969; ++ fiat_secp384r1_uint1 x970; ++ uint32_t x971; ++ fiat_secp384r1_uint1 x972; ++ uint32_t x973; ++ fiat_secp384r1_uint1 x974; ++ uint32_t x975; ++ fiat_secp384r1_uint1 x976; ++ uint32_t x977; ++ fiat_secp384r1_uint1 x978; ++ uint32_t x979; ++ fiat_secp384r1_uint1 x980; ++ uint32_t x981; ++ fiat_secp384r1_uint1 x982; ++ uint32_t x983; ++ fiat_secp384r1_uint1 x984; ++ uint32_t x985; ++ fiat_secp384r1_uint1 x986; ++ uint32_t x987; ++ fiat_secp384r1_uint1 x988; ++ uint32_t x989; ++ fiat_secp384r1_uint1 x990; ++ uint32_t x991; ++ uint32_t x992; ++ fiat_secp384r1_uint1 x993; ++ uint32_t x994; ++ fiat_secp384r1_uint1 x995; ++ uint32_t x996; ++ fiat_secp384r1_uint1 x997; ++ uint32_t x998; ++ fiat_secp384r1_uint1 x999; ++ uint32_t x1000; ++ fiat_secp384r1_uint1 x1001; ++ uint32_t x1002; ++ fiat_secp384r1_uint1 x1003; ++ uint32_t x1004; ++ fiat_secp384r1_uint1 x1005; ++ uint32_t x1006; ++ fiat_secp384r1_uint1 x1007; ++ uint32_t x1008; ++ fiat_secp384r1_uint1 x1009; ++ uint32_t x1010; ++ fiat_secp384r1_uint1 x1011; ++ uint32_t x1012; ++ fiat_secp384r1_uint1 x1013; ++ uint32_t x1014; ++ fiat_secp384r1_uint1 x1015; ++ uint32_t x1016; ++ fiat_secp384r1_uint1 x1017; ++ uint32_t x1018; ++ uint32_t x1019; ++ uint32_t x1020; ++ uint32_t x1021; ++ uint32_t x1022; ++ uint32_t x1023; ++ uint32_t x1024; ++ uint32_t x1025; ++ uint32_t x1026; ++ uint32_t x1027; ++ uint32_t x1028; ++ uint32_t x1029; ++ uint32_t x1030; ++ uint32_t x1031; ++ uint32_t x1032; ++ uint32_t x1033; ++ uint32_t x1034; ++ uint32_t x1035; ++ uint32_t x1036; ++ uint32_t x1037; ++ uint32_t x1038; ++ fiat_secp384r1_uint1 x1039; ++ uint32_t x1040; ++ fiat_secp384r1_uint1 x1041; ++ uint32_t x1042; ++ fiat_secp384r1_uint1 x1043; ++ uint32_t x1044; ++ fiat_secp384r1_uint1 x1045; ++ uint32_t x1046; ++ fiat_secp384r1_uint1 x1047; ++ uint32_t x1048; ++ fiat_secp384r1_uint1 x1049; ++ uint32_t x1050; ++ fiat_secp384r1_uint1 x1051; ++ uint32_t x1052; ++ fiat_secp384r1_uint1 x1053; ++ uint32_t x1054; ++ uint32_t x1055; ++ fiat_secp384r1_uint1 x1056; ++ uint32_t x1057; ++ fiat_secp384r1_uint1 x1058; ++ uint32_t x1059; ++ fiat_secp384r1_uint1 x1060; ++ uint32_t x1061; ++ fiat_secp384r1_uint1 x1062; ++ uint32_t x1063; ++ fiat_secp384r1_uint1 x1064; ++ uint32_t x1065; ++ fiat_secp384r1_uint1 x1066; ++ uint32_t x1067; ++ fiat_secp384r1_uint1 x1068; ++ uint32_t x1069; ++ fiat_secp384r1_uint1 x1070; ++ uint32_t x1071; ++ fiat_secp384r1_uint1 x1072; ++ uint32_t x1073; ++ fiat_secp384r1_uint1 x1074; ++ uint32_t x1075; ++ fiat_secp384r1_uint1 x1076; ++ uint32_t x1077; ++ fiat_secp384r1_uint1 x1078; ++ uint32_t x1079; ++ fiat_secp384r1_uint1 x1080; ++ uint32_t x1081; ++ uint32_t x1082; ++ uint32_t x1083; ++ uint32_t x1084; ++ uint32_t x1085; ++ uint32_t x1086; ++ uint32_t x1087; ++ uint32_t x1088; ++ uint32_t x1089; ++ uint32_t x1090; ++ uint32_t x1091; ++ uint32_t x1092; ++ uint32_t x1093; ++ uint32_t x1094; ++ uint32_t x1095; ++ uint32_t x1096; ++ uint32_t x1097; ++ uint32_t x1098; ++ uint32_t x1099; ++ uint32_t x1100; ++ uint32_t x1101; ++ uint32_t x1102; ++ uint32_t x1103; ++ uint32_t x1104; ++ uint32_t x1105; ++ uint32_t x1106; ++ fiat_secp384r1_uint1 x1107; ++ uint32_t x1108; ++ fiat_secp384r1_uint1 x1109; ++ uint32_t x1110; ++ fiat_secp384r1_uint1 x1111; ++ uint32_t x1112; ++ fiat_secp384r1_uint1 x1113; ++ uint32_t x1114; ++ fiat_secp384r1_uint1 x1115; ++ uint32_t x1116; ++ fiat_secp384r1_uint1 x1117; ++ uint32_t x1118; ++ fiat_secp384r1_uint1 x1119; ++ uint32_t x1120; ++ fiat_secp384r1_uint1 x1121; ++ uint32_t x1122; ++ fiat_secp384r1_uint1 x1123; ++ uint32_t x1124; ++ fiat_secp384r1_uint1 x1125; ++ uint32_t x1126; ++ fiat_secp384r1_uint1 x1127; ++ uint32_t x1128; ++ uint32_t x1129; ++ fiat_secp384r1_uint1 x1130; ++ uint32_t x1131; ++ fiat_secp384r1_uint1 x1132; ++ uint32_t x1133; ++ fiat_secp384r1_uint1 x1134; ++ uint32_t x1135; ++ fiat_secp384r1_uint1 x1136; ++ uint32_t x1137; ++ fiat_secp384r1_uint1 x1138; ++ uint32_t x1139; ++ fiat_secp384r1_uint1 x1140; ++ uint32_t x1141; ++ fiat_secp384r1_uint1 x1142; ++ uint32_t x1143; ++ fiat_secp384r1_uint1 x1144; ++ uint32_t x1145; ++ fiat_secp384r1_uint1 x1146; ++ uint32_t x1147; ++ fiat_secp384r1_uint1 x1148; ++ uint32_t x1149; ++ fiat_secp384r1_uint1 x1150; ++ uint32_t x1151; ++ fiat_secp384r1_uint1 x1152; ++ uint32_t x1153; ++ fiat_secp384r1_uint1 x1154; ++ uint32_t x1155; ++ uint32_t x1156; ++ uint32_t x1157; ++ uint32_t x1158; ++ uint32_t x1159; ++ uint32_t x1160; ++ uint32_t x1161; ++ uint32_t x1162; ++ uint32_t x1163; ++ uint32_t x1164; ++ uint32_t x1165; ++ uint32_t x1166; ++ uint32_t x1167; ++ uint32_t x1168; ++ uint32_t x1169; ++ uint32_t x1170; ++ uint32_t x1171; ++ uint32_t x1172; ++ uint32_t x1173; ++ uint32_t x1174; ++ uint32_t x1175; ++ fiat_secp384r1_uint1 x1176; ++ uint32_t x1177; ++ fiat_secp384r1_uint1 x1178; ++ uint32_t x1179; ++ fiat_secp384r1_uint1 x1180; ++ uint32_t x1181; ++ fiat_secp384r1_uint1 x1182; ++ uint32_t x1183; ++ fiat_secp384r1_uint1 x1184; ++ uint32_t x1185; ++ fiat_secp384r1_uint1 x1186; ++ uint32_t x1187; ++ fiat_secp384r1_uint1 x1188; ++ uint32_t x1189; ++ fiat_secp384r1_uint1 x1190; ++ uint32_t x1191; ++ uint32_t x1192; ++ fiat_secp384r1_uint1 x1193; ++ uint32_t x1194; ++ fiat_secp384r1_uint1 x1195; ++ uint32_t x1196; ++ fiat_secp384r1_uint1 x1197; ++ uint32_t x1198; ++ fiat_secp384r1_uint1 x1199; ++ uint32_t x1200; ++ fiat_secp384r1_uint1 x1201; ++ uint32_t x1202; ++ fiat_secp384r1_uint1 x1203; ++ uint32_t x1204; ++ fiat_secp384r1_uint1 x1205; ++ uint32_t x1206; ++ fiat_secp384r1_uint1 x1207; ++ uint32_t x1208; ++ fiat_secp384r1_uint1 x1209; ++ uint32_t x1210; ++ fiat_secp384r1_uint1 x1211; ++ uint32_t x1212; ++ fiat_secp384r1_uint1 x1213; ++ uint32_t x1214; ++ fiat_secp384r1_uint1 x1215; ++ uint32_t x1216; ++ fiat_secp384r1_uint1 x1217; ++ uint32_t x1218; ++ uint32_t x1219; ++ uint32_t x1220; ++ uint32_t x1221; ++ uint32_t x1222; ++ uint32_t x1223; ++ uint32_t x1224; ++ uint32_t x1225; ++ uint32_t x1226; ++ uint32_t x1227; ++ uint32_t x1228; ++ uint32_t x1229; ++ uint32_t x1230; ++ uint32_t x1231; ++ uint32_t x1232; ++ uint32_t x1233; ++ uint32_t x1234; ++ uint32_t x1235; ++ uint32_t x1236; ++ uint32_t x1237; ++ uint32_t x1238; ++ uint32_t x1239; ++ uint32_t x1240; ++ uint32_t x1241; ++ uint32_t x1242; ++ uint32_t x1243; ++ fiat_secp384r1_uint1 x1244; ++ uint32_t x1245; ++ fiat_secp384r1_uint1 x1246; ++ uint32_t x1247; ++ fiat_secp384r1_uint1 x1248; ++ uint32_t x1249; ++ fiat_secp384r1_uint1 x1250; ++ uint32_t x1251; ++ fiat_secp384r1_uint1 x1252; ++ uint32_t x1253; ++ fiat_secp384r1_uint1 x1254; ++ uint32_t x1255; ++ fiat_secp384r1_uint1 x1256; ++ uint32_t x1257; ++ fiat_secp384r1_uint1 x1258; ++ uint32_t x1259; ++ fiat_secp384r1_uint1 x1260; ++ uint32_t x1261; ++ fiat_secp384r1_uint1 x1262; ++ uint32_t x1263; ++ fiat_secp384r1_uint1 x1264; ++ uint32_t x1265; ++ uint32_t x1266; ++ fiat_secp384r1_uint1 x1267; ++ uint32_t x1268; ++ fiat_secp384r1_uint1 x1269; ++ uint32_t x1270; ++ fiat_secp384r1_uint1 x1271; ++ uint32_t x1272; ++ fiat_secp384r1_uint1 x1273; ++ uint32_t x1274; ++ fiat_secp384r1_uint1 x1275; ++ uint32_t x1276; ++ fiat_secp384r1_uint1 x1277; ++ uint32_t x1278; ++ fiat_secp384r1_uint1 x1279; ++ uint32_t x1280; ++ fiat_secp384r1_uint1 x1281; ++ uint32_t x1282; ++ fiat_secp384r1_uint1 x1283; ++ uint32_t x1284; ++ fiat_secp384r1_uint1 x1285; ++ uint32_t x1286; ++ fiat_secp384r1_uint1 x1287; ++ uint32_t x1288; ++ fiat_secp384r1_uint1 x1289; ++ uint32_t x1290; ++ fiat_secp384r1_uint1 x1291; ++ uint32_t x1292; ++ uint32_t x1293; ++ uint32_t x1294; ++ uint32_t x1295; ++ uint32_t x1296; ++ uint32_t x1297; ++ uint32_t x1298; ++ uint32_t x1299; ++ uint32_t x1300; ++ uint32_t x1301; ++ uint32_t x1302; ++ uint32_t x1303; ++ uint32_t x1304; ++ uint32_t x1305; ++ uint32_t x1306; ++ uint32_t x1307; ++ uint32_t x1308; ++ uint32_t x1309; ++ uint32_t x1310; ++ uint32_t x1311; ++ uint32_t x1312; ++ fiat_secp384r1_uint1 x1313; ++ uint32_t x1314; ++ fiat_secp384r1_uint1 x1315; ++ uint32_t x1316; ++ fiat_secp384r1_uint1 x1317; ++ uint32_t x1318; ++ fiat_secp384r1_uint1 x1319; ++ uint32_t x1320; ++ fiat_secp384r1_uint1 x1321; ++ uint32_t x1322; ++ fiat_secp384r1_uint1 x1323; ++ uint32_t x1324; ++ fiat_secp384r1_uint1 x1325; ++ uint32_t x1326; ++ fiat_secp384r1_uint1 x1327; ++ uint32_t x1328; ++ uint32_t x1329; ++ fiat_secp384r1_uint1 x1330; ++ uint32_t x1331; ++ fiat_secp384r1_uint1 x1332; ++ uint32_t x1333; ++ fiat_secp384r1_uint1 x1334; ++ uint32_t x1335; ++ fiat_secp384r1_uint1 x1336; ++ uint32_t x1337; ++ fiat_secp384r1_uint1 x1338; ++ uint32_t x1339; ++ fiat_secp384r1_uint1 x1340; ++ uint32_t x1341; ++ fiat_secp384r1_uint1 x1342; ++ uint32_t x1343; ++ fiat_secp384r1_uint1 x1344; ++ uint32_t x1345; ++ fiat_secp384r1_uint1 x1346; ++ uint32_t x1347; ++ fiat_secp384r1_uint1 x1348; ++ uint32_t x1349; ++ fiat_secp384r1_uint1 x1350; ++ uint32_t x1351; ++ fiat_secp384r1_uint1 x1352; ++ uint32_t x1353; ++ fiat_secp384r1_uint1 x1354; ++ uint32_t x1355; ++ uint32_t x1356; ++ uint32_t x1357; ++ uint32_t x1358; ++ uint32_t x1359; ++ uint32_t x1360; ++ uint32_t x1361; ++ uint32_t x1362; ++ uint32_t x1363; ++ uint32_t x1364; ++ uint32_t x1365; ++ uint32_t x1366; ++ uint32_t x1367; ++ uint32_t x1368; ++ uint32_t x1369; ++ uint32_t x1370; ++ uint32_t x1371; ++ uint32_t x1372; ++ uint32_t x1373; ++ uint32_t x1374; ++ uint32_t x1375; ++ uint32_t x1376; ++ uint32_t x1377; ++ uint32_t x1378; ++ uint32_t x1379; ++ uint32_t x1380; ++ fiat_secp384r1_uint1 x1381; ++ uint32_t x1382; ++ fiat_secp384r1_uint1 x1383; ++ uint32_t x1384; ++ fiat_secp384r1_uint1 x1385; ++ uint32_t x1386; ++ fiat_secp384r1_uint1 x1387; ++ uint32_t x1388; ++ fiat_secp384r1_uint1 x1389; ++ uint32_t x1390; ++ fiat_secp384r1_uint1 x1391; ++ uint32_t x1392; ++ fiat_secp384r1_uint1 x1393; ++ uint32_t x1394; ++ fiat_secp384r1_uint1 x1395; ++ uint32_t x1396; ++ fiat_secp384r1_uint1 x1397; ++ uint32_t x1398; ++ fiat_secp384r1_uint1 x1399; ++ uint32_t x1400; ++ fiat_secp384r1_uint1 x1401; ++ uint32_t x1402; ++ uint32_t x1403; ++ fiat_secp384r1_uint1 x1404; ++ uint32_t x1405; ++ fiat_secp384r1_uint1 x1406; ++ uint32_t x1407; ++ fiat_secp384r1_uint1 x1408; ++ uint32_t x1409; ++ fiat_secp384r1_uint1 x1410; ++ uint32_t x1411; ++ fiat_secp384r1_uint1 x1412; ++ uint32_t x1413; ++ fiat_secp384r1_uint1 x1414; ++ uint32_t x1415; ++ fiat_secp384r1_uint1 x1416; ++ uint32_t x1417; ++ fiat_secp384r1_uint1 x1418; ++ uint32_t x1419; ++ fiat_secp384r1_uint1 x1420; ++ uint32_t x1421; ++ fiat_secp384r1_uint1 x1422; ++ uint32_t x1423; ++ fiat_secp384r1_uint1 x1424; ++ uint32_t x1425; ++ fiat_secp384r1_uint1 x1426; ++ uint32_t x1427; ++ fiat_secp384r1_uint1 x1428; ++ uint32_t x1429; ++ uint32_t x1430; ++ uint32_t x1431; ++ uint32_t x1432; ++ uint32_t x1433; ++ uint32_t x1434; ++ uint32_t x1435; ++ uint32_t x1436; ++ uint32_t x1437; ++ uint32_t x1438; ++ uint32_t x1439; ++ uint32_t x1440; ++ uint32_t x1441; ++ uint32_t x1442; ++ uint32_t x1443; ++ uint32_t x1444; ++ uint32_t x1445; ++ uint32_t x1446; ++ uint32_t x1447; ++ uint32_t x1448; ++ uint32_t x1449; ++ fiat_secp384r1_uint1 x1450; ++ uint32_t x1451; ++ fiat_secp384r1_uint1 x1452; ++ uint32_t x1453; ++ fiat_secp384r1_uint1 x1454; ++ uint32_t x1455; ++ fiat_secp384r1_uint1 x1456; ++ uint32_t x1457; ++ fiat_secp384r1_uint1 x1458; ++ uint32_t x1459; ++ fiat_secp384r1_uint1 x1460; ++ uint32_t x1461; ++ fiat_secp384r1_uint1 x1462; ++ uint32_t x1463; ++ fiat_secp384r1_uint1 x1464; ++ uint32_t x1465; ++ uint32_t x1466; ++ fiat_secp384r1_uint1 x1467; ++ uint32_t x1468; ++ fiat_secp384r1_uint1 x1469; ++ uint32_t x1470; ++ fiat_secp384r1_uint1 x1471; ++ uint32_t x1472; ++ fiat_secp384r1_uint1 x1473; ++ uint32_t x1474; ++ fiat_secp384r1_uint1 x1475; ++ uint32_t x1476; ++ fiat_secp384r1_uint1 x1477; ++ uint32_t x1478; ++ fiat_secp384r1_uint1 x1479; ++ uint32_t x1480; ++ fiat_secp384r1_uint1 x1481; ++ uint32_t x1482; ++ fiat_secp384r1_uint1 x1483; ++ uint32_t x1484; ++ fiat_secp384r1_uint1 x1485; ++ uint32_t x1486; ++ fiat_secp384r1_uint1 x1487; ++ uint32_t x1488; ++ fiat_secp384r1_uint1 x1489; ++ uint32_t x1490; ++ fiat_secp384r1_uint1 x1491; ++ uint32_t x1492; ++ uint32_t x1493; ++ uint32_t x1494; ++ uint32_t x1495; ++ uint32_t x1496; ++ uint32_t x1497; ++ uint32_t x1498; ++ uint32_t x1499; ++ uint32_t x1500; ++ uint32_t x1501; ++ uint32_t x1502; ++ uint32_t x1503; ++ uint32_t x1504; ++ uint32_t x1505; ++ uint32_t x1506; ++ uint32_t x1507; ++ uint32_t x1508; ++ uint32_t x1509; ++ uint32_t x1510; ++ uint32_t x1511; ++ uint32_t x1512; ++ uint32_t x1513; ++ uint32_t x1514; ++ uint32_t x1515; ++ uint32_t x1516; ++ uint32_t x1517; ++ fiat_secp384r1_uint1 x1518; ++ uint32_t x1519; ++ fiat_secp384r1_uint1 x1520; ++ uint32_t x1521; ++ fiat_secp384r1_uint1 x1522; ++ uint32_t x1523; ++ fiat_secp384r1_uint1 x1524; ++ uint32_t x1525; ++ fiat_secp384r1_uint1 x1526; ++ uint32_t x1527; ++ fiat_secp384r1_uint1 x1528; ++ uint32_t x1529; ++ fiat_secp384r1_uint1 x1530; ++ uint32_t x1531; ++ fiat_secp384r1_uint1 x1532; ++ uint32_t x1533; ++ fiat_secp384r1_uint1 x1534; ++ uint32_t x1535; ++ fiat_secp384r1_uint1 x1536; ++ uint32_t x1537; ++ fiat_secp384r1_uint1 x1538; ++ uint32_t x1539; ++ uint32_t x1540; ++ fiat_secp384r1_uint1 x1541; ++ uint32_t x1542; ++ fiat_secp384r1_uint1 x1543; ++ uint32_t x1544; ++ fiat_secp384r1_uint1 x1545; ++ uint32_t x1546; ++ fiat_secp384r1_uint1 x1547; ++ uint32_t x1548; ++ fiat_secp384r1_uint1 x1549; ++ uint32_t x1550; ++ fiat_secp384r1_uint1 x1551; ++ uint32_t x1552; ++ fiat_secp384r1_uint1 x1553; ++ uint32_t x1554; ++ fiat_secp384r1_uint1 x1555; ++ uint32_t x1556; ++ fiat_secp384r1_uint1 x1557; ++ uint32_t x1558; ++ fiat_secp384r1_uint1 x1559; ++ uint32_t x1560; ++ fiat_secp384r1_uint1 x1561; ++ uint32_t x1562; ++ fiat_secp384r1_uint1 x1563; ++ uint32_t x1564; ++ fiat_secp384r1_uint1 x1565; ++ uint32_t x1566; ++ uint32_t x1567; ++ uint32_t x1568; ++ uint32_t x1569; ++ uint32_t x1570; ++ uint32_t x1571; ++ uint32_t x1572; ++ uint32_t x1573; ++ uint32_t x1574; ++ uint32_t x1575; ++ uint32_t x1576; ++ uint32_t x1577; ++ uint32_t x1578; ++ uint32_t x1579; ++ uint32_t x1580; ++ uint32_t x1581; ++ uint32_t x1582; ++ uint32_t x1583; ++ uint32_t x1584; ++ uint32_t x1585; ++ uint32_t x1586; ++ fiat_secp384r1_uint1 x1587; ++ uint32_t x1588; ++ fiat_secp384r1_uint1 x1589; ++ uint32_t x1590; ++ fiat_secp384r1_uint1 x1591; ++ uint32_t x1592; ++ fiat_secp384r1_uint1 x1593; ++ uint32_t x1594; ++ fiat_secp384r1_uint1 x1595; ++ uint32_t x1596; ++ fiat_secp384r1_uint1 x1597; ++ uint32_t x1598; ++ fiat_secp384r1_uint1 x1599; ++ uint32_t x1600; ++ fiat_secp384r1_uint1 x1601; ++ uint32_t x1602; ++ uint32_t x1603; ++ fiat_secp384r1_uint1 x1604; ++ uint32_t x1605; ++ fiat_secp384r1_uint1 x1606; ++ uint32_t x1607; ++ fiat_secp384r1_uint1 x1608; ++ uint32_t x1609; ++ fiat_secp384r1_uint1 x1610; ++ uint32_t x1611; ++ fiat_secp384r1_uint1 x1612; ++ uint32_t x1613; ++ fiat_secp384r1_uint1 x1614; ++ uint32_t x1615; ++ fiat_secp384r1_uint1 x1616; ++ uint32_t x1617; ++ fiat_secp384r1_uint1 x1618; ++ uint32_t x1619; ++ fiat_secp384r1_uint1 x1620; ++ uint32_t x1621; ++ fiat_secp384r1_uint1 x1622; ++ uint32_t x1623; ++ fiat_secp384r1_uint1 x1624; ++ uint32_t x1625; ++ fiat_secp384r1_uint1 x1626; ++ uint32_t x1627; ++ fiat_secp384r1_uint1 x1628; ++ uint32_t x1629; ++ uint32_t x1630; ++ fiat_secp384r1_uint1 x1631; ++ uint32_t x1632; ++ fiat_secp384r1_uint1 x1633; ++ uint32_t x1634; ++ fiat_secp384r1_uint1 x1635; ++ uint32_t x1636; ++ fiat_secp384r1_uint1 x1637; ++ uint32_t x1638; ++ fiat_secp384r1_uint1 x1639; ++ uint32_t x1640; ++ fiat_secp384r1_uint1 x1641; ++ uint32_t x1642; ++ fiat_secp384r1_uint1 x1643; ++ uint32_t x1644; ++ fiat_secp384r1_uint1 x1645; ++ uint32_t x1646; ++ fiat_secp384r1_uint1 x1647; ++ uint32_t x1648; ++ fiat_secp384r1_uint1 x1649; ++ uint32_t x1650; ++ fiat_secp384r1_uint1 x1651; ++ uint32_t x1652; ++ fiat_secp384r1_uint1 x1653; ++ uint32_t x1654; ++ fiat_secp384r1_uint1 x1655; ++ uint32_t x1656; ++ uint32_t x1657; ++ uint32_t x1658; ++ uint32_t x1659; ++ uint32_t x1660; ++ uint32_t x1661; ++ uint32_t x1662; ++ uint32_t x1663; ++ uint32_t x1664; ++ uint32_t x1665; ++ uint32_t x1666; ++ uint32_t x1667; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[6]); ++ x7 = (arg1[7]); ++ x8 = (arg1[8]); ++ x9 = (arg1[9]); ++ x10 = (arg1[10]); ++ x11 = (arg1[11]); ++ x12 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); ++ fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); ++ fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); ++ fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); ++ fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); ++ fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); ++ fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); ++ fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); ++ fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); ++ fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); ++ fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); ++ x59 = (x58 + x14); ++ fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); ++ fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); ++ fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); ++ fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); ++ fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); ++ fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); ++ fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); ++ fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); ++ x96 = (x95 + x61); ++ fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); ++ fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); ++ fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); ++ fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); ++ fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); ++ fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); ++ fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); ++ fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); ++ fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); ++ fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); ++ fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); ++ fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); ++ fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); ++ fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); ++ fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); ++ fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); ++ fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); ++ fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); ++ fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); ++ fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); ++ fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); ++ fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); ++ fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); ++ x169 = (x168 + x124); ++ fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); ++ fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); ++ fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); ++ fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); ++ fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); ++ fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); ++ fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); ++ fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); ++ fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); ++ fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); ++ fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); ++ fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); ++ fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); ++ fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); ++ fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); ++ fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); ++ fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); ++ fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); ++ fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); ++ fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); ++ fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); ++ x232 = (x231 + x197); ++ fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); ++ fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); ++ fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); ++ fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); ++ fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); ++ fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); ++ fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); ++ fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); ++ fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); ++ fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); ++ fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); ++ fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); ++ x259 = ((uint32_t)x258 + x195); ++ fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); ++ fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); ++ fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); ++ fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); ++ fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); ++ fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); ++ fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); ++ fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); ++ fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); ++ fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); ++ fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); ++ x306 = (x305 + x261); ++ fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); ++ fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); ++ fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); ++ fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); ++ fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); ++ fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); ++ fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); ++ fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); ++ fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); ++ fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); ++ fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); ++ fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); ++ fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); ++ fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); ++ fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); ++ fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); ++ fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); ++ fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); ++ fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); ++ fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); ++ x369 = (x368 + x334); ++ fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); ++ fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); ++ fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); ++ fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); ++ fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); ++ fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); ++ fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); ++ fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); ++ fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); ++ fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); ++ fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); ++ fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); ++ x396 = ((uint32_t)x395 + x332); ++ fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); ++ fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); ++ fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); ++ fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); ++ fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); ++ fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); ++ fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); ++ fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); ++ fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); ++ fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); ++ fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); ++ x443 = (x442 + x398); ++ fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); ++ fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); ++ fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); ++ fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); ++ fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); ++ fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); ++ fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); ++ fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); ++ fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); ++ fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); ++ fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); ++ fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); ++ fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); ++ fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); ++ fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); ++ fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); ++ fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); ++ fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); ++ fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); ++ fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); ++ fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); ++ x506 = (x505 + x471); ++ fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); ++ fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); ++ fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); ++ fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); ++ fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); ++ fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); ++ fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); ++ fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); ++ fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); ++ fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); ++ fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); ++ fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); ++ x533 = ((uint32_t)x532 + x469); ++ fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); ++ fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); ++ fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); ++ fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); ++ fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); ++ fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); ++ fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); ++ fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); ++ fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); ++ fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); ++ fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); ++ x580 = (x579 + x535); ++ fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); ++ fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); ++ fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); ++ fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); ++ fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); ++ fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); ++ fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); ++ fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); ++ fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); ++ fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); ++ fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); ++ fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); ++ fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); ++ fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); ++ fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); ++ fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); ++ fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); ++ fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); ++ fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); ++ fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); ++ fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); ++ x643 = (x642 + x608); ++ fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); ++ fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); ++ fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); ++ fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); ++ fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); ++ fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); ++ fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); ++ fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); ++ fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); ++ fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); ++ fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); ++ fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); ++ x670 = ((uint32_t)x669 + x606); ++ fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); ++ fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); ++ fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); ++ fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); ++ fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); ++ fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); ++ fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); ++ fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); ++ fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); ++ fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); ++ fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); ++ x717 = (x716 + x672); ++ fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); ++ fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); ++ fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); ++ fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); ++ fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); ++ fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); ++ fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); ++ fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); ++ fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); ++ fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); ++ fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); ++ fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); ++ fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); ++ fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); ++ fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); ++ fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); ++ fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); ++ fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); ++ fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); ++ fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); ++ fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); ++ x780 = (x779 + x745); ++ fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); ++ fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); ++ fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); ++ fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); ++ fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); ++ fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); ++ fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); ++ fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); ++ fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); ++ fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); ++ fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); ++ fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); ++ x807 = ((uint32_t)x806 + x743); ++ fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); ++ fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); ++ fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); ++ fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); ++ fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); ++ fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); ++ fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); ++ fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); ++ fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); ++ fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); ++ fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); ++ x854 = (x853 + x809); ++ fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); ++ fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); ++ fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); ++ fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); ++ fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); ++ fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); ++ fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); ++ fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); ++ fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); ++ fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); ++ fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); ++ fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); ++ fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); ++ fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); ++ fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); ++ fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); ++ fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); ++ fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); ++ fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); ++ fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); ++ fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); ++ x917 = (x916 + x882); ++ fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); ++ fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); ++ fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); ++ fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); ++ fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); ++ fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); ++ fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); ++ fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); ++ fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); ++ fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); ++ fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); ++ fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); ++ x944 = ((uint32_t)x943 + x880); ++ fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); ++ fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); ++ fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); ++ fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); ++ fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); ++ fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); ++ fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); ++ fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); ++ fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); ++ fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); ++ fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); ++ x991 = (x990 + x946); ++ fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); ++ fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); ++ fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); ++ fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); ++ fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); ++ fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); ++ fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); ++ fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); ++ fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); ++ fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); ++ fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); ++ fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); ++ fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); ++ fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); ++ fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); ++ fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); ++ fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); ++ fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); ++ fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); ++ fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); ++ fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); ++ x1054 = (x1053 + x1019); ++ fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); ++ fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); ++ fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); ++ fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); ++ fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); ++ fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); ++ fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); ++ fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); ++ fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); ++ fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); ++ fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); ++ fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); ++ x1081 = ((uint32_t)x1080 + x1017); ++ fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); ++ fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); ++ fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); ++ fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); ++ fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); ++ fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); ++ fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); ++ fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); ++ fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); ++ fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); ++ fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); ++ x1128 = (x1127 + x1083); ++ fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); ++ fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); ++ fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); ++ fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); ++ fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); ++ fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); ++ fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); ++ fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); ++ fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); ++ fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); ++ fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); ++ fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); ++ fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); ++ fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); ++ fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); ++ fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); ++ fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); ++ fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); ++ fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); ++ fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); ++ fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); ++ x1191 = (x1190 + x1156); ++ fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); ++ fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); ++ fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); ++ fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); ++ fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); ++ fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); ++ fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); ++ fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); ++ fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); ++ fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); ++ fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); ++ fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); ++ x1218 = ((uint32_t)x1217 + x1154); ++ fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); ++ fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); ++ fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); ++ fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); ++ fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); ++ fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); ++ fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); ++ fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); ++ fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); ++ fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); ++ fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); ++ x1265 = (x1264 + x1220); ++ fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); ++ fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); ++ fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); ++ fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); ++ fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); ++ fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); ++ fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); ++ fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); ++ fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); ++ fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); ++ fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); ++ fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); ++ fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); ++ fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); ++ fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); ++ fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); ++ fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); ++ fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); ++ fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); ++ fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); ++ fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); ++ x1328 = (x1327 + x1293); ++ fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); ++ fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); ++ fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); ++ fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); ++ fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); ++ fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); ++ fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); ++ fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); ++ fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); ++ fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); ++ fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); ++ fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); ++ x1355 = ((uint32_t)x1354 + x1291); ++ fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); ++ fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); ++ fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); ++ fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); ++ fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); ++ fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); ++ fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); ++ fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); ++ fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); ++ fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); ++ fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); ++ x1402 = (x1401 + x1357); ++ fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); ++ fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); ++ fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); ++ fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); ++ fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); ++ fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); ++ fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); ++ fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); ++ fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); ++ fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); ++ fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); ++ fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); ++ fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); ++ fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); ++ fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); ++ fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); ++ fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); ++ fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); ++ fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); ++ fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); ++ fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); ++ x1465 = (x1464 + x1430); ++ fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); ++ fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); ++ fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); ++ fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); ++ fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); ++ fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); ++ fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); ++ fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); ++ fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); ++ fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); ++ fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); ++ fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); ++ x1492 = ((uint32_t)x1491 + x1428); ++ fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); ++ fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); ++ fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); ++ fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); ++ fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); ++ fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); ++ fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); ++ fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); ++ fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); ++ fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); ++ fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); ++ x1539 = (x1538 + x1494); ++ fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); ++ fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); ++ fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); ++ fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); ++ fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); ++ fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); ++ fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); ++ fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); ++ fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); ++ fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); ++ fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); ++ fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); ++ fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); ++ fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); ++ fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); ++ fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); ++ fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); ++ fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); ++ fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); ++ fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); ++ fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); ++ x1602 = (x1601 + x1567); ++ fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); ++ fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); ++ fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); ++ fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); ++ fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); ++ fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); ++ fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); ++ fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); ++ fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); ++ fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); ++ fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); ++ fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); ++ x1629 = ((uint32_t)x1628 + x1565); ++ fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); ++ fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); ++ fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); ++ fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); ++ fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); ++ fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); ++ fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); ++ fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); ++ fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); ++ fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); ++ fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); ++ fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); ++ out1[0] = x1656; ++ out1[1] = x1657; ++ out1[2] = x1658; ++ out1[3] = x1659; ++ out1[4] = x1660; ++ out1[5] = x1661; ++ out1[6] = x1662; ++ out1[7] = x1663; ++ out1[8] = x1664; ++ out1[9] = x1665; ++ out1[10] = x1666; ++ out1[11] = x1667; ++} ++ ++/* ++ * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_add(uint32_t out1[12], const uint32_t arg1[12], ++ const uint32_t arg2[12]) ++{ ++ uint32_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint32_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint32_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint32_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint32_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint32_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint32_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint32_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint32_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint32_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint32_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint32_t x27; ++ fiat_secp384r1_uint1 x28; ++ uint32_t x29; ++ fiat_secp384r1_uint1 x30; ++ uint32_t x31; ++ fiat_secp384r1_uint1 x32; ++ uint32_t x33; ++ fiat_secp384r1_uint1 x34; ++ uint32_t x35; ++ fiat_secp384r1_uint1 x36; ++ uint32_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint32_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint32_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ uint32_t x52; ++ uint32_t x53; ++ uint32_t x54; ++ uint32_t x55; ++ uint32_t x56; ++ uint32_t x57; ++ uint32_t x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ fiat_secp384r1_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); ++ fiat_secp384r1_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); ++ fiat_secp384r1_addcarryx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); ++ fiat_secp384r1_addcarryx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); ++ fiat_secp384r1_addcarryx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); ++ fiat_secp384r1_addcarryx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); ++ fiat_secp384r1_subborrowx_u32(&x25, &x26, 0x0, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x27, &x28, x26, x3, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x29, &x30, x28, x5, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x31, &x32, x30, x7, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x33, &x34, x32, x9, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x35, &x36, x34, x11, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x37, &x38, x36, x13, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x39, &x40, x38, x15, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x41, &x42, x40, x17, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x43, &x44, x42, x19, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x45, &x46, x44, x21, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x47, &x48, x46, x23, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x49, &x50, x48, x24, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x51, x50, x25, x1); ++ fiat_secp384r1_cmovznz_u32(&x52, x50, x27, x3); ++ fiat_secp384r1_cmovznz_u32(&x53, x50, x29, x5); ++ fiat_secp384r1_cmovznz_u32(&x54, x50, x31, x7); ++ fiat_secp384r1_cmovznz_u32(&x55, x50, x33, x9); ++ fiat_secp384r1_cmovznz_u32(&x56, x50, x35, x11); ++ fiat_secp384r1_cmovznz_u32(&x57, x50, x37, x13); ++ fiat_secp384r1_cmovznz_u32(&x58, x50, x39, x15); ++ fiat_secp384r1_cmovznz_u32(&x59, x50, x41, x17); ++ fiat_secp384r1_cmovznz_u32(&x60, x50, x43, x19); ++ fiat_secp384r1_cmovznz_u32(&x61, x50, x45, x21); ++ fiat_secp384r1_cmovznz_u32(&x62, x50, x47, x23); ++ out1[0] = x51; ++ out1[1] = x52; ++ out1[2] = x53; ++ out1[3] = x54; ++ out1[4] = x55; ++ out1[5] = x56; ++ out1[6] = x57; ++ out1[7] = x58; ++ out1[8] = x59; ++ out1[9] = x60; ++ out1[10] = x61; ++ out1[11] = x62; ++} ++ ++/* ++ * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_sub(uint32_t out1[12], const uint32_t arg1[12], ++ const uint32_t arg2[12]) ++{ ++ uint32_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint32_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint32_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint32_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint32_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint32_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint32_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint32_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint32_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint32_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint32_t x25; ++ uint32_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint32_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint32_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint32_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint32_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint32_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint32_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint32_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint32_t x42; ++ fiat_secp384r1_uint1 x43; ++ uint32_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint32_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint32_t x48; ++ fiat_secp384r1_uint1 x49; ++ fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); ++ fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); ++ fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); ++ fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); ++ fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); ++ fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); ++ fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, ++ (x25 & UINT32_C(0xfffffffe))); ++ fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, ++ (x25 & UINT32_C(0xffffffff))); ++ out1[0] = x26; ++ out1[1] = x28; ++ out1[2] = x30; ++ out1[3] = x32; ++ out1[4] = x34; ++ out1[5] = x36; ++ out1[6] = x38; ++ out1[7] = x40; ++ out1[8] = x42; ++ out1[9] = x44; ++ out1[10] = x46; ++ out1[11] = x48; ++} ++ ++/* ++ * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_opp(uint32_t out1[12], const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint32_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint32_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint32_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint32_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint32_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint32_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint32_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint32_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint32_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint32_t x25; ++ uint32_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint32_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint32_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint32_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint32_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint32_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint32_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint32_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint32_t x42; ++ fiat_secp384r1_uint1 x43; ++ uint32_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint32_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint32_t x48; ++ fiat_secp384r1_uint1 x49; ++ fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); ++ fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); ++ fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); ++ fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); ++ fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); ++ fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); ++ fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); ++ fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); ++ fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, 0x0, (arg1[8])); ++ fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, 0x0, (arg1[9])); ++ fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, 0x0, (arg1[10])); ++ fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, 0x0, (arg1[11])); ++ fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, ++ (x25 & UINT32_C(0xfffffffe))); ++ fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, ++ (x25 & UINT32_C(0xffffffff))); ++ out1[0] = x26; ++ out1[1] = x28; ++ out1[2] = x30; ++ out1[3] = x32; ++ out1[4] = x34; ++ out1[5] = x36; ++ out1[6] = x38; ++ out1[7] = x40; ++ out1[8] = x42; ++ out1[9] = x44; ++ out1[10] = x46; ++ out1[11] = x48; ++} ++ ++/* ++ * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = (eval arg1 * ((2^32)â»Â¹ mod m)^12) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_from_montgomery(uint32_t out1[12], ++ const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint32_t x24; ++ fiat_secp384r1_uint1 x25; ++ uint32_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint32_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint32_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint32_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint32_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint32_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint32_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint32_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint32_t x42; ++ uint32_t x43; ++ uint32_t x44; ++ uint32_t x45; ++ uint32_t x46; ++ uint32_t x47; ++ uint32_t x48; ++ uint32_t x49; ++ uint32_t x50; ++ uint32_t x51; ++ uint32_t x52; ++ uint32_t x53; ++ uint32_t x54; ++ uint32_t x55; ++ uint32_t x56; ++ uint32_t x57; ++ uint32_t x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ fiat_secp384r1_uint1 x63; ++ uint32_t x64; ++ fiat_secp384r1_uint1 x65; ++ uint32_t x66; ++ fiat_secp384r1_uint1 x67; ++ uint32_t x68; ++ fiat_secp384r1_uint1 x69; ++ uint32_t x70; ++ fiat_secp384r1_uint1 x71; ++ uint32_t x72; ++ fiat_secp384r1_uint1 x73; ++ uint32_t x74; ++ fiat_secp384r1_uint1 x75; ++ uint32_t x76; ++ fiat_secp384r1_uint1 x77; ++ uint32_t x78; ++ fiat_secp384r1_uint1 x79; ++ uint32_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint32_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint32_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint32_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint32_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint32_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint32_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint32_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint32_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint32_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint32_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint32_t x102; ++ fiat_secp384r1_uint1 x103; ++ uint32_t x104; ++ fiat_secp384r1_uint1 x105; ++ uint32_t x106; ++ fiat_secp384r1_uint1 x107; ++ uint32_t x108; ++ fiat_secp384r1_uint1 x109; ++ uint32_t x110; ++ fiat_secp384r1_uint1 x111; ++ uint32_t x112; ++ fiat_secp384r1_uint1 x113; ++ uint32_t x114; ++ fiat_secp384r1_uint1 x115; ++ uint32_t x116; ++ fiat_secp384r1_uint1 x117; ++ uint32_t x118; ++ fiat_secp384r1_uint1 x119; ++ uint32_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint32_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint32_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint32_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ uint32_t x138; ++ uint32_t x139; ++ uint32_t x140; ++ uint32_t x141; ++ uint32_t x142; ++ uint32_t x143; ++ uint32_t x144; ++ uint32_t x145; ++ uint32_t x146; ++ uint32_t x147; ++ uint32_t x148; ++ fiat_secp384r1_uint1 x149; ++ uint32_t x150; ++ fiat_secp384r1_uint1 x151; ++ uint32_t x152; ++ fiat_secp384r1_uint1 x153; ++ uint32_t x154; ++ fiat_secp384r1_uint1 x155; ++ uint32_t x156; ++ fiat_secp384r1_uint1 x157; ++ uint32_t x158; ++ fiat_secp384r1_uint1 x159; ++ uint32_t x160; ++ fiat_secp384r1_uint1 x161; ++ uint32_t x162; ++ fiat_secp384r1_uint1 x163; ++ uint32_t x164; ++ fiat_secp384r1_uint1 x165; ++ uint32_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint32_t x168; ++ fiat_secp384r1_uint1 x169; ++ uint32_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint32_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint32_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint32_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint32_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint32_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint32_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint32_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint32_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint32_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint32_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint32_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint32_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint32_t x196; ++ fiat_secp384r1_uint1 x197; ++ uint32_t x198; ++ fiat_secp384r1_uint1 x199; ++ uint32_t x200; ++ fiat_secp384r1_uint1 x201; ++ uint32_t x202; ++ fiat_secp384r1_uint1 x203; ++ uint32_t x204; ++ fiat_secp384r1_uint1 x205; ++ uint32_t x206; ++ fiat_secp384r1_uint1 x207; ++ uint32_t x208; ++ fiat_secp384r1_uint1 x209; ++ uint32_t x210; ++ fiat_secp384r1_uint1 x211; ++ uint32_t x212; ++ fiat_secp384r1_uint1 x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ uint32_t x217; ++ uint32_t x218; ++ uint32_t x219; ++ uint32_t x220; ++ uint32_t x221; ++ uint32_t x222; ++ uint32_t x223; ++ uint32_t x224; ++ uint32_t x225; ++ uint32_t x226; ++ uint32_t x227; ++ uint32_t x228; ++ uint32_t x229; ++ uint32_t x230; ++ uint32_t x231; ++ uint32_t x232; ++ uint32_t x233; ++ uint32_t x234; ++ fiat_secp384r1_uint1 x235; ++ uint32_t x236; ++ fiat_secp384r1_uint1 x237; ++ uint32_t x238; ++ fiat_secp384r1_uint1 x239; ++ uint32_t x240; ++ fiat_secp384r1_uint1 x241; ++ uint32_t x242; ++ fiat_secp384r1_uint1 x243; ++ uint32_t x244; ++ fiat_secp384r1_uint1 x245; ++ uint32_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint32_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint32_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint32_t x252; ++ fiat_secp384r1_uint1 x253; ++ uint32_t x254; ++ fiat_secp384r1_uint1 x255; ++ uint32_t x256; ++ fiat_secp384r1_uint1 x257; ++ uint32_t x258; ++ fiat_secp384r1_uint1 x259; ++ uint32_t x260; ++ fiat_secp384r1_uint1 x261; ++ uint32_t x262; ++ fiat_secp384r1_uint1 x263; ++ uint32_t x264; ++ fiat_secp384r1_uint1 x265; ++ uint32_t x266; ++ fiat_secp384r1_uint1 x267; ++ uint32_t x268; ++ fiat_secp384r1_uint1 x269; ++ uint32_t x270; ++ fiat_secp384r1_uint1 x271; ++ uint32_t x272; ++ fiat_secp384r1_uint1 x273; ++ uint32_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint32_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint32_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint32_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint32_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint32_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint32_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint32_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint32_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint32_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint32_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint32_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint32_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint32_t x300; ++ uint32_t x301; ++ uint32_t x302; ++ uint32_t x303; ++ uint32_t x304; ++ uint32_t x305; ++ uint32_t x306; ++ uint32_t x307; ++ uint32_t x308; ++ uint32_t x309; ++ uint32_t x310; ++ uint32_t x311; ++ uint32_t x312; ++ uint32_t x313; ++ uint32_t x314; ++ uint32_t x315; ++ uint32_t x316; ++ uint32_t x317; ++ uint32_t x318; ++ uint32_t x319; ++ uint32_t x320; ++ fiat_secp384r1_uint1 x321; ++ uint32_t x322; ++ fiat_secp384r1_uint1 x323; ++ uint32_t x324; ++ fiat_secp384r1_uint1 x325; ++ uint32_t x326; ++ fiat_secp384r1_uint1 x327; ++ uint32_t x328; ++ fiat_secp384r1_uint1 x329; ++ uint32_t x330; ++ fiat_secp384r1_uint1 x331; ++ uint32_t x332; ++ fiat_secp384r1_uint1 x333; ++ uint32_t x334; ++ fiat_secp384r1_uint1 x335; ++ uint32_t x336; ++ fiat_secp384r1_uint1 x337; ++ uint32_t x338; ++ fiat_secp384r1_uint1 x339; ++ uint32_t x340; ++ fiat_secp384r1_uint1 x341; ++ uint32_t x342; ++ fiat_secp384r1_uint1 x343; ++ uint32_t x344; ++ fiat_secp384r1_uint1 x345; ++ uint32_t x346; ++ fiat_secp384r1_uint1 x347; ++ uint32_t x348; ++ fiat_secp384r1_uint1 x349; ++ uint32_t x350; ++ fiat_secp384r1_uint1 x351; ++ uint32_t x352; ++ fiat_secp384r1_uint1 x353; ++ uint32_t x354; ++ fiat_secp384r1_uint1 x355; ++ uint32_t x356; ++ fiat_secp384r1_uint1 x357; ++ uint32_t x358; ++ fiat_secp384r1_uint1 x359; ++ uint32_t x360; ++ fiat_secp384r1_uint1 x361; ++ uint32_t x362; ++ fiat_secp384r1_uint1 x363; ++ uint32_t x364; ++ fiat_secp384r1_uint1 x365; ++ uint32_t x366; ++ fiat_secp384r1_uint1 x367; ++ uint32_t x368; ++ fiat_secp384r1_uint1 x369; ++ uint32_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint32_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint32_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint32_t x376; ++ fiat_secp384r1_uint1 x377; ++ uint32_t x378; ++ fiat_secp384r1_uint1 x379; ++ uint32_t x380; ++ fiat_secp384r1_uint1 x381; ++ uint32_t x382; ++ fiat_secp384r1_uint1 x383; ++ uint32_t x384; ++ fiat_secp384r1_uint1 x385; ++ uint32_t x386; ++ uint32_t x387; ++ uint32_t x388; ++ uint32_t x389; ++ uint32_t x390; ++ uint32_t x391; ++ uint32_t x392; ++ uint32_t x393; ++ uint32_t x394; ++ uint32_t x395; ++ uint32_t x396; ++ uint32_t x397; ++ uint32_t x398; ++ uint32_t x399; ++ uint32_t x400; ++ uint32_t x401; ++ uint32_t x402; ++ uint32_t x403; ++ uint32_t x404; ++ uint32_t x405; ++ uint32_t x406; ++ fiat_secp384r1_uint1 x407; ++ uint32_t x408; ++ fiat_secp384r1_uint1 x409; ++ uint32_t x410; ++ fiat_secp384r1_uint1 x411; ++ uint32_t x412; ++ fiat_secp384r1_uint1 x413; ++ uint32_t x414; ++ fiat_secp384r1_uint1 x415; ++ uint32_t x416; ++ fiat_secp384r1_uint1 x417; ++ uint32_t x418; ++ fiat_secp384r1_uint1 x419; ++ uint32_t x420; ++ fiat_secp384r1_uint1 x421; ++ uint32_t x422; ++ fiat_secp384r1_uint1 x423; ++ uint32_t x424; ++ fiat_secp384r1_uint1 x425; ++ uint32_t x426; ++ fiat_secp384r1_uint1 x427; ++ uint32_t x428; ++ fiat_secp384r1_uint1 x429; ++ uint32_t x430; ++ fiat_secp384r1_uint1 x431; ++ uint32_t x432; ++ fiat_secp384r1_uint1 x433; ++ uint32_t x434; ++ fiat_secp384r1_uint1 x435; ++ uint32_t x436; ++ fiat_secp384r1_uint1 x437; ++ uint32_t x438; ++ fiat_secp384r1_uint1 x439; ++ uint32_t x440; ++ fiat_secp384r1_uint1 x441; ++ uint32_t x442; ++ fiat_secp384r1_uint1 x443; ++ uint32_t x444; ++ fiat_secp384r1_uint1 x445; ++ uint32_t x446; ++ fiat_secp384r1_uint1 x447; ++ uint32_t x448; ++ fiat_secp384r1_uint1 x449; ++ uint32_t x450; ++ fiat_secp384r1_uint1 x451; ++ uint32_t x452; ++ fiat_secp384r1_uint1 x453; ++ uint32_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint32_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint32_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint32_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint32_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint32_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint32_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint32_t x468; ++ fiat_secp384r1_uint1 x469; ++ uint32_t x470; ++ fiat_secp384r1_uint1 x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ uint32_t x476; ++ uint32_t x477; ++ uint32_t x478; ++ uint32_t x479; ++ uint32_t x480; ++ uint32_t x481; ++ uint32_t x482; ++ uint32_t x483; ++ uint32_t x484; ++ uint32_t x485; ++ uint32_t x486; ++ uint32_t x487; ++ uint32_t x488; ++ uint32_t x489; ++ uint32_t x490; ++ uint32_t x491; ++ uint32_t x492; ++ fiat_secp384r1_uint1 x493; ++ uint32_t x494; ++ fiat_secp384r1_uint1 x495; ++ uint32_t x496; ++ fiat_secp384r1_uint1 x497; ++ uint32_t x498; ++ fiat_secp384r1_uint1 x499; ++ uint32_t x500; ++ fiat_secp384r1_uint1 x501; ++ uint32_t x502; ++ fiat_secp384r1_uint1 x503; ++ uint32_t x504; ++ fiat_secp384r1_uint1 x505; ++ uint32_t x506; ++ fiat_secp384r1_uint1 x507; ++ uint32_t x508; ++ fiat_secp384r1_uint1 x509; ++ uint32_t x510; ++ fiat_secp384r1_uint1 x511; ++ uint32_t x512; ++ fiat_secp384r1_uint1 x513; ++ uint32_t x514; ++ fiat_secp384r1_uint1 x515; ++ uint32_t x516; ++ fiat_secp384r1_uint1 x517; ++ uint32_t x518; ++ fiat_secp384r1_uint1 x519; ++ uint32_t x520; ++ fiat_secp384r1_uint1 x521; ++ uint32_t x522; ++ fiat_secp384r1_uint1 x523; ++ uint32_t x524; ++ fiat_secp384r1_uint1 x525; ++ uint32_t x526; ++ fiat_secp384r1_uint1 x527; ++ uint32_t x528; ++ fiat_secp384r1_uint1 x529; ++ uint32_t x530; ++ fiat_secp384r1_uint1 x531; ++ uint32_t x532; ++ fiat_secp384r1_uint1 x533; ++ uint32_t x534; ++ fiat_secp384r1_uint1 x535; ++ uint32_t x536; ++ fiat_secp384r1_uint1 x537; ++ uint32_t x538; ++ fiat_secp384r1_uint1 x539; ++ uint32_t x540; ++ fiat_secp384r1_uint1 x541; ++ uint32_t x542; ++ fiat_secp384r1_uint1 x543; ++ uint32_t x544; ++ fiat_secp384r1_uint1 x545; ++ uint32_t x546; ++ fiat_secp384r1_uint1 x547; ++ uint32_t x548; ++ fiat_secp384r1_uint1 x549; ++ uint32_t x550; ++ fiat_secp384r1_uint1 x551; ++ uint32_t x552; ++ fiat_secp384r1_uint1 x553; ++ uint32_t x554; ++ fiat_secp384r1_uint1 x555; ++ uint32_t x556; ++ fiat_secp384r1_uint1 x557; ++ uint32_t x558; ++ uint32_t x559; ++ uint32_t x560; ++ uint32_t x561; ++ uint32_t x562; ++ uint32_t x563; ++ uint32_t x564; ++ uint32_t x565; ++ uint32_t x566; ++ uint32_t x567; ++ uint32_t x568; ++ uint32_t x569; ++ uint32_t x570; ++ uint32_t x571; ++ uint32_t x572; ++ uint32_t x573; ++ uint32_t x574; ++ uint32_t x575; ++ uint32_t x576; ++ uint32_t x577; ++ uint32_t x578; ++ fiat_secp384r1_uint1 x579; ++ uint32_t x580; ++ fiat_secp384r1_uint1 x581; ++ uint32_t x582; ++ fiat_secp384r1_uint1 x583; ++ uint32_t x584; ++ fiat_secp384r1_uint1 x585; ++ uint32_t x586; ++ fiat_secp384r1_uint1 x587; ++ uint32_t x588; ++ fiat_secp384r1_uint1 x589; ++ uint32_t x590; ++ fiat_secp384r1_uint1 x591; ++ uint32_t x592; ++ fiat_secp384r1_uint1 x593; ++ uint32_t x594; ++ fiat_secp384r1_uint1 x595; ++ uint32_t x596; ++ fiat_secp384r1_uint1 x597; ++ uint32_t x598; ++ fiat_secp384r1_uint1 x599; ++ uint32_t x600; ++ fiat_secp384r1_uint1 x601; ++ uint32_t x602; ++ fiat_secp384r1_uint1 x603; ++ uint32_t x604; ++ fiat_secp384r1_uint1 x605; ++ uint32_t x606; ++ fiat_secp384r1_uint1 x607; ++ uint32_t x608; ++ fiat_secp384r1_uint1 x609; ++ uint32_t x610; ++ fiat_secp384r1_uint1 x611; ++ uint32_t x612; ++ fiat_secp384r1_uint1 x613; ++ uint32_t x614; ++ fiat_secp384r1_uint1 x615; ++ uint32_t x616; ++ fiat_secp384r1_uint1 x617; ++ uint32_t x618; ++ fiat_secp384r1_uint1 x619; ++ uint32_t x620; ++ fiat_secp384r1_uint1 x621; ++ uint32_t x622; ++ fiat_secp384r1_uint1 x623; ++ uint32_t x624; ++ fiat_secp384r1_uint1 x625; ++ uint32_t x626; ++ fiat_secp384r1_uint1 x627; ++ uint32_t x628; ++ fiat_secp384r1_uint1 x629; ++ uint32_t x630; ++ fiat_secp384r1_uint1 x631; ++ uint32_t x632; ++ fiat_secp384r1_uint1 x633; ++ uint32_t x634; ++ fiat_secp384r1_uint1 x635; ++ uint32_t x636; ++ fiat_secp384r1_uint1 x637; ++ uint32_t x638; ++ fiat_secp384r1_uint1 x639; ++ uint32_t x640; ++ fiat_secp384r1_uint1 x641; ++ uint32_t x642; ++ fiat_secp384r1_uint1 x643; ++ uint32_t x644; ++ uint32_t x645; ++ uint32_t x646; ++ uint32_t x647; ++ uint32_t x648; ++ uint32_t x649; ++ uint32_t x650; ++ uint32_t x651; ++ uint32_t x652; ++ uint32_t x653; ++ uint32_t x654; ++ uint32_t x655; ++ uint32_t x656; ++ uint32_t x657; ++ uint32_t x658; ++ uint32_t x659; ++ uint32_t x660; ++ uint32_t x661; ++ uint32_t x662; ++ uint32_t x663; ++ uint32_t x664; ++ fiat_secp384r1_uint1 x665; ++ uint32_t x666; ++ fiat_secp384r1_uint1 x667; ++ uint32_t x668; ++ fiat_secp384r1_uint1 x669; ++ uint32_t x670; ++ fiat_secp384r1_uint1 x671; ++ uint32_t x672; ++ fiat_secp384r1_uint1 x673; ++ uint32_t x674; ++ fiat_secp384r1_uint1 x675; ++ uint32_t x676; ++ fiat_secp384r1_uint1 x677; ++ uint32_t x678; ++ fiat_secp384r1_uint1 x679; ++ uint32_t x680; ++ fiat_secp384r1_uint1 x681; ++ uint32_t x682; ++ fiat_secp384r1_uint1 x683; ++ uint32_t x684; ++ fiat_secp384r1_uint1 x685; ++ uint32_t x686; ++ fiat_secp384r1_uint1 x687; ++ uint32_t x688; ++ fiat_secp384r1_uint1 x689; ++ uint32_t x690; ++ fiat_secp384r1_uint1 x691; ++ uint32_t x692; ++ fiat_secp384r1_uint1 x693; ++ uint32_t x694; ++ fiat_secp384r1_uint1 x695; ++ uint32_t x696; ++ fiat_secp384r1_uint1 x697; ++ uint32_t x698; ++ fiat_secp384r1_uint1 x699; ++ uint32_t x700; ++ fiat_secp384r1_uint1 x701; ++ uint32_t x702; ++ fiat_secp384r1_uint1 x703; ++ uint32_t x704; ++ fiat_secp384r1_uint1 x705; ++ uint32_t x706; ++ fiat_secp384r1_uint1 x707; ++ uint32_t x708; ++ fiat_secp384r1_uint1 x709; ++ uint32_t x710; ++ fiat_secp384r1_uint1 x711; ++ uint32_t x712; ++ fiat_secp384r1_uint1 x713; ++ uint32_t x714; ++ fiat_secp384r1_uint1 x715; ++ uint32_t x716; ++ fiat_secp384r1_uint1 x717; ++ uint32_t x718; ++ fiat_secp384r1_uint1 x719; ++ uint32_t x720; ++ fiat_secp384r1_uint1 x721; ++ uint32_t x722; ++ fiat_secp384r1_uint1 x723; ++ uint32_t x724; ++ fiat_secp384r1_uint1 x725; ++ uint32_t x726; ++ fiat_secp384r1_uint1 x727; ++ uint32_t x728; ++ fiat_secp384r1_uint1 x729; ++ uint32_t x730; ++ uint32_t x731; ++ uint32_t x732; ++ uint32_t x733; ++ uint32_t x734; ++ uint32_t x735; ++ uint32_t x736; ++ uint32_t x737; ++ uint32_t x738; ++ uint32_t x739; ++ uint32_t x740; ++ uint32_t x741; ++ uint32_t x742; ++ uint32_t x743; ++ uint32_t x744; ++ uint32_t x745; ++ uint32_t x746; ++ uint32_t x747; ++ uint32_t x748; ++ uint32_t x749; ++ uint32_t x750; ++ fiat_secp384r1_uint1 x751; ++ uint32_t x752; ++ fiat_secp384r1_uint1 x753; ++ uint32_t x754; ++ fiat_secp384r1_uint1 x755; ++ uint32_t x756; ++ fiat_secp384r1_uint1 x757; ++ uint32_t x758; ++ fiat_secp384r1_uint1 x759; ++ uint32_t x760; ++ fiat_secp384r1_uint1 x761; ++ uint32_t x762; ++ fiat_secp384r1_uint1 x763; ++ uint32_t x764; ++ fiat_secp384r1_uint1 x765; ++ uint32_t x766; ++ fiat_secp384r1_uint1 x767; ++ uint32_t x768; ++ fiat_secp384r1_uint1 x769; ++ uint32_t x770; ++ fiat_secp384r1_uint1 x771; ++ uint32_t x772; ++ fiat_secp384r1_uint1 x773; ++ uint32_t x774; ++ fiat_secp384r1_uint1 x775; ++ uint32_t x776; ++ fiat_secp384r1_uint1 x777; ++ uint32_t x778; ++ fiat_secp384r1_uint1 x779; ++ uint32_t x780; ++ fiat_secp384r1_uint1 x781; ++ uint32_t x782; ++ fiat_secp384r1_uint1 x783; ++ uint32_t x784; ++ fiat_secp384r1_uint1 x785; ++ uint32_t x786; ++ fiat_secp384r1_uint1 x787; ++ uint32_t x788; ++ fiat_secp384r1_uint1 x789; ++ uint32_t x790; ++ fiat_secp384r1_uint1 x791; ++ uint32_t x792; ++ fiat_secp384r1_uint1 x793; ++ uint32_t x794; ++ fiat_secp384r1_uint1 x795; ++ uint32_t x796; ++ fiat_secp384r1_uint1 x797; ++ uint32_t x798; ++ fiat_secp384r1_uint1 x799; ++ uint32_t x800; ++ fiat_secp384r1_uint1 x801; ++ uint32_t x802; ++ fiat_secp384r1_uint1 x803; ++ uint32_t x804; ++ fiat_secp384r1_uint1 x805; ++ uint32_t x806; ++ fiat_secp384r1_uint1 x807; ++ uint32_t x808; ++ fiat_secp384r1_uint1 x809; ++ uint32_t x810; ++ fiat_secp384r1_uint1 x811; ++ uint32_t x812; ++ fiat_secp384r1_uint1 x813; ++ uint32_t x814; ++ fiat_secp384r1_uint1 x815; ++ uint32_t x816; ++ uint32_t x817; ++ uint32_t x818; ++ uint32_t x819; ++ uint32_t x820; ++ uint32_t x821; ++ uint32_t x822; ++ uint32_t x823; ++ uint32_t x824; ++ uint32_t x825; ++ uint32_t x826; ++ uint32_t x827; ++ uint32_t x828; ++ uint32_t x829; ++ uint32_t x830; ++ uint32_t x831; ++ uint32_t x832; ++ uint32_t x833; ++ uint32_t x834; ++ uint32_t x835; ++ uint32_t x836; ++ fiat_secp384r1_uint1 x837; ++ uint32_t x838; ++ fiat_secp384r1_uint1 x839; ++ uint32_t x840; ++ fiat_secp384r1_uint1 x841; ++ uint32_t x842; ++ fiat_secp384r1_uint1 x843; ++ uint32_t x844; ++ fiat_secp384r1_uint1 x845; ++ uint32_t x846; ++ fiat_secp384r1_uint1 x847; ++ uint32_t x848; ++ fiat_secp384r1_uint1 x849; ++ uint32_t x850; ++ fiat_secp384r1_uint1 x851; ++ uint32_t x852; ++ fiat_secp384r1_uint1 x853; ++ uint32_t x854; ++ fiat_secp384r1_uint1 x855; ++ uint32_t x856; ++ fiat_secp384r1_uint1 x857; ++ uint32_t x858; ++ fiat_secp384r1_uint1 x859; ++ uint32_t x860; ++ fiat_secp384r1_uint1 x861; ++ uint32_t x862; ++ fiat_secp384r1_uint1 x863; ++ uint32_t x864; ++ fiat_secp384r1_uint1 x865; ++ uint32_t x866; ++ fiat_secp384r1_uint1 x867; ++ uint32_t x868; ++ fiat_secp384r1_uint1 x869; ++ uint32_t x870; ++ fiat_secp384r1_uint1 x871; ++ uint32_t x872; ++ fiat_secp384r1_uint1 x873; ++ uint32_t x874; ++ fiat_secp384r1_uint1 x875; ++ uint32_t x876; ++ fiat_secp384r1_uint1 x877; ++ uint32_t x878; ++ fiat_secp384r1_uint1 x879; ++ uint32_t x880; ++ fiat_secp384r1_uint1 x881; ++ uint32_t x882; ++ fiat_secp384r1_uint1 x883; ++ uint32_t x884; ++ fiat_secp384r1_uint1 x885; ++ uint32_t x886; ++ fiat_secp384r1_uint1 x887; ++ uint32_t x888; ++ fiat_secp384r1_uint1 x889; ++ uint32_t x890; ++ fiat_secp384r1_uint1 x891; ++ uint32_t x892; ++ fiat_secp384r1_uint1 x893; ++ uint32_t x894; ++ fiat_secp384r1_uint1 x895; ++ uint32_t x896; ++ fiat_secp384r1_uint1 x897; ++ uint32_t x898; ++ fiat_secp384r1_uint1 x899; ++ uint32_t x900; ++ fiat_secp384r1_uint1 x901; ++ uint32_t x902; ++ uint32_t x903; ++ uint32_t x904; ++ uint32_t x905; ++ uint32_t x906; ++ uint32_t x907; ++ uint32_t x908; ++ uint32_t x909; ++ uint32_t x910; ++ uint32_t x911; ++ uint32_t x912; ++ uint32_t x913; ++ uint32_t x914; ++ uint32_t x915; ++ uint32_t x916; ++ uint32_t x917; ++ uint32_t x918; ++ uint32_t x919; ++ uint32_t x920; ++ uint32_t x921; ++ uint32_t x922; ++ fiat_secp384r1_uint1 x923; ++ uint32_t x924; ++ fiat_secp384r1_uint1 x925; ++ uint32_t x926; ++ fiat_secp384r1_uint1 x927; ++ uint32_t x928; ++ fiat_secp384r1_uint1 x929; ++ uint32_t x930; ++ fiat_secp384r1_uint1 x931; ++ uint32_t x932; ++ fiat_secp384r1_uint1 x933; ++ uint32_t x934; ++ fiat_secp384r1_uint1 x935; ++ uint32_t x936; ++ fiat_secp384r1_uint1 x937; ++ uint32_t x938; ++ fiat_secp384r1_uint1 x939; ++ uint32_t x940; ++ fiat_secp384r1_uint1 x941; ++ uint32_t x942; ++ fiat_secp384r1_uint1 x943; ++ uint32_t x944; ++ fiat_secp384r1_uint1 x945; ++ uint32_t x946; ++ fiat_secp384r1_uint1 x947; ++ uint32_t x948; ++ fiat_secp384r1_uint1 x949; ++ uint32_t x950; ++ fiat_secp384r1_uint1 x951; ++ uint32_t x952; ++ fiat_secp384r1_uint1 x953; ++ uint32_t x954; ++ fiat_secp384r1_uint1 x955; ++ uint32_t x956; ++ fiat_secp384r1_uint1 x957; ++ uint32_t x958; ++ fiat_secp384r1_uint1 x959; ++ uint32_t x960; ++ fiat_secp384r1_uint1 x961; ++ uint32_t x962; ++ fiat_secp384r1_uint1 x963; ++ uint32_t x964; ++ fiat_secp384r1_uint1 x965; ++ uint32_t x966; ++ fiat_secp384r1_uint1 x967; ++ uint32_t x968; ++ fiat_secp384r1_uint1 x969; ++ uint32_t x970; ++ fiat_secp384r1_uint1 x971; ++ uint32_t x972; ++ fiat_secp384r1_uint1 x973; ++ uint32_t x974; ++ fiat_secp384r1_uint1 x975; ++ uint32_t x976; ++ fiat_secp384r1_uint1 x977; ++ uint32_t x978; ++ fiat_secp384r1_uint1 x979; ++ uint32_t x980; ++ fiat_secp384r1_uint1 x981; ++ uint32_t x982; ++ fiat_secp384r1_uint1 x983; ++ uint32_t x984; ++ fiat_secp384r1_uint1 x985; ++ uint32_t x986; ++ fiat_secp384r1_uint1 x987; ++ uint32_t x988; ++ fiat_secp384r1_uint1 x989; ++ uint32_t x990; ++ uint32_t x991; ++ uint32_t x992; ++ uint32_t x993; ++ uint32_t x994; ++ uint32_t x995; ++ uint32_t x996; ++ uint32_t x997; ++ uint32_t x998; ++ uint32_t x999; ++ uint32_t x1000; ++ uint32_t x1001; ++ x1 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x10, &x11, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x12, &x13, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x14, &x15, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x16, &x17, x1, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x18, &x19, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x20, &x21, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x22, &x23, 0x0, x19, x16); ++ fiat_secp384r1_addcarryx_u32(&x24, &x25, x23, x17, x14); ++ fiat_secp384r1_addcarryx_u32(&x26, &x27, x25, x15, x12); ++ fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x13, x10); ++ fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x11, x8); ++ fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x9, x6); ++ fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x7, x4); ++ fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x5, x2); ++ fiat_secp384r1_addcarryx_u32(&x38, &x39, 0x0, x1, x20); ++ fiat_secp384r1_addcarryx_u32(&x40, &x41, 0x0, (x39 + x21), (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x42, &x43, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x44, &x45, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x46, &x47, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x48, &x49, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x50, &x51, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x52, &x53, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x54, &x55, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x56, &x57, x40, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x58, &x59, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x60, &x61, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x62, &x63, 0x0, x59, x56); ++ fiat_secp384r1_addcarryx_u32(&x64, &x65, x63, x57, x54); ++ fiat_secp384r1_addcarryx_u32(&x66, &x67, x65, x55, x52); ++ fiat_secp384r1_addcarryx_u32(&x68, &x69, x67, x53, x50); ++ fiat_secp384r1_addcarryx_u32(&x70, &x71, x69, x51, x48); ++ fiat_secp384r1_addcarryx_u32(&x72, &x73, x71, x49, x46); ++ fiat_secp384r1_addcarryx_u32(&x74, &x75, x73, x47, x44); ++ fiat_secp384r1_addcarryx_u32(&x76, &x77, x75, x45, x42); ++ fiat_secp384r1_addcarryx_u32(&x78, &x79, 0x0, x40, x60); ++ fiat_secp384r1_addcarryx_u32(&x80, &x81, x79, x41, x61); ++ fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x18, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x22, x58); ++ fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x24, x62); ++ fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x26, x64); ++ fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x28, x66); ++ fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x30, x68); ++ fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x32, x70); ++ fiat_secp384r1_addcarryx_u32(&x96, &x97, x95, x34, x72); ++ fiat_secp384r1_addcarryx_u32(&x98, &x99, x97, x36, x74); ++ fiat_secp384r1_addcarryx_u32(&x100, &x101, x99, (x37 + x3), x76); ++ fiat_secp384r1_addcarryx_u32(&x102, &x103, x101, 0x0, (x77 + x43)); ++ fiat_secp384r1_addcarryx_u32(&x104, &x105, 0x0, x80, (arg1[2])); ++ fiat_secp384r1_addcarryx_u32(&x106, &x107, x105, x82, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x108, &x109, x107, x84, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x110, &x111, x109, x86, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x112, &x113, x111, x88, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x114, &x115, x113, x90, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x116, &x117, x115, x92, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x118, &x119, x117, x94, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x120, &x121, x119, x96, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x122, &x123, x121, x98, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x124, &x125, x123, x100, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x126, &x127, x125, x102, 0x0); ++ fiat_secp384r1_mulx_u32(&x128, &x129, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x130, &x131, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x132, &x133, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x134, &x135, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x136, &x137, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x138, &x139, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x140, &x141, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x142, &x143, x104, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x144, &x145, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x146, &x147, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x148, &x149, 0x0, x145, x142); ++ fiat_secp384r1_addcarryx_u32(&x150, &x151, x149, x143, x140); ++ fiat_secp384r1_addcarryx_u32(&x152, &x153, x151, x141, x138); ++ fiat_secp384r1_addcarryx_u32(&x154, &x155, x153, x139, x136); ++ fiat_secp384r1_addcarryx_u32(&x156, &x157, x155, x137, x134); ++ fiat_secp384r1_addcarryx_u32(&x158, &x159, x157, x135, x132); ++ fiat_secp384r1_addcarryx_u32(&x160, &x161, x159, x133, x130); ++ fiat_secp384r1_addcarryx_u32(&x162, &x163, x161, x131, x128); ++ fiat_secp384r1_addcarryx_u32(&x164, &x165, 0x0, x104, x146); ++ fiat_secp384r1_addcarryx_u32(&x166, &x167, x165, x106, x147); ++ fiat_secp384r1_addcarryx_u32(&x168, &x169, x167, x108, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x170, &x171, x169, x110, x144); ++ fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x112, x148); ++ fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x114, x150); ++ fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x116, x152); ++ fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x118, x154); ++ fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x120, x156); ++ fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x122, x158); ++ fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x124, x160); ++ fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x126, x162); ++ fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, ((uint32_t)x127 + x103), ++ (x163 + x129)); ++ fiat_secp384r1_addcarryx_u32(&x190, &x191, 0x0, x166, (arg1[3])); ++ fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x168, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x170, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x196, &x197, x195, x172, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x198, &x199, x197, x174, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x200, &x201, x199, x176, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x202, &x203, x201, x178, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x204, &x205, x203, x180, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x206, &x207, x205, x182, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x208, &x209, x207, x184, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x210, &x211, x209, x186, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x212, &x213, x211, x188, 0x0); ++ fiat_secp384r1_mulx_u32(&x214, &x215, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x216, &x217, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x218, &x219, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x220, &x221, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x222, &x223, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x224, &x225, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x226, &x227, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x228, &x229, x190, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x230, &x231, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x232, &x233, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x234, &x235, 0x0, x231, x228); ++ fiat_secp384r1_addcarryx_u32(&x236, &x237, x235, x229, x226); ++ fiat_secp384r1_addcarryx_u32(&x238, &x239, x237, x227, x224); ++ fiat_secp384r1_addcarryx_u32(&x240, &x241, x239, x225, x222); ++ fiat_secp384r1_addcarryx_u32(&x242, &x243, x241, x223, x220); ++ fiat_secp384r1_addcarryx_u32(&x244, &x245, x243, x221, x218); ++ fiat_secp384r1_addcarryx_u32(&x246, &x247, x245, x219, x216); ++ fiat_secp384r1_addcarryx_u32(&x248, &x249, x247, x217, x214); ++ fiat_secp384r1_addcarryx_u32(&x250, &x251, 0x0, x190, x232); ++ fiat_secp384r1_addcarryx_u32(&x252, &x253, x251, x192, x233); ++ fiat_secp384r1_addcarryx_u32(&x254, &x255, x253, x194, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x256, &x257, x255, x196, x230); ++ fiat_secp384r1_addcarryx_u32(&x258, &x259, x257, x198, x234); ++ fiat_secp384r1_addcarryx_u32(&x260, &x261, x259, x200, x236); ++ fiat_secp384r1_addcarryx_u32(&x262, &x263, x261, x202, x238); ++ fiat_secp384r1_addcarryx_u32(&x264, &x265, x263, x204, x240); ++ fiat_secp384r1_addcarryx_u32(&x266, &x267, x265, x206, x242); ++ fiat_secp384r1_addcarryx_u32(&x268, &x269, x267, x208, x244); ++ fiat_secp384r1_addcarryx_u32(&x270, &x271, x269, x210, x246); ++ fiat_secp384r1_addcarryx_u32(&x272, &x273, x271, x212, x248); ++ fiat_secp384r1_addcarryx_u32(&x274, &x275, x273, ((uint32_t)x213 + x189), ++ (x249 + x215)); ++ fiat_secp384r1_addcarryx_u32(&x276, &x277, 0x0, x252, (arg1[4])); ++ fiat_secp384r1_addcarryx_u32(&x278, &x279, x277, x254, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x280, &x281, x279, x256, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x282, &x283, x281, x258, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x284, &x285, x283, x260, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x262, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x264, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x266, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x268, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x270, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x272, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x274, 0x0); ++ fiat_secp384r1_mulx_u32(&x300, &x301, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x302, &x303, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x304, &x305, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x306, &x307, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x308, &x309, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x310, &x311, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x312, &x313, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x314, &x315, x276, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x316, &x317, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x318, &x319, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x320, &x321, 0x0, x317, x314); ++ fiat_secp384r1_addcarryx_u32(&x322, &x323, x321, x315, x312); ++ fiat_secp384r1_addcarryx_u32(&x324, &x325, x323, x313, x310); ++ fiat_secp384r1_addcarryx_u32(&x326, &x327, x325, x311, x308); ++ fiat_secp384r1_addcarryx_u32(&x328, &x329, x327, x309, x306); ++ fiat_secp384r1_addcarryx_u32(&x330, &x331, x329, x307, x304); ++ fiat_secp384r1_addcarryx_u32(&x332, &x333, x331, x305, x302); ++ fiat_secp384r1_addcarryx_u32(&x334, &x335, x333, x303, x300); ++ fiat_secp384r1_addcarryx_u32(&x336, &x337, 0x0, x276, x318); ++ fiat_secp384r1_addcarryx_u32(&x338, &x339, x337, x278, x319); ++ fiat_secp384r1_addcarryx_u32(&x340, &x341, x339, x280, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x342, &x343, x341, x282, x316); ++ fiat_secp384r1_addcarryx_u32(&x344, &x345, x343, x284, x320); ++ fiat_secp384r1_addcarryx_u32(&x346, &x347, x345, x286, x322); ++ fiat_secp384r1_addcarryx_u32(&x348, &x349, x347, x288, x324); ++ fiat_secp384r1_addcarryx_u32(&x350, &x351, x349, x290, x326); ++ fiat_secp384r1_addcarryx_u32(&x352, &x353, x351, x292, x328); ++ fiat_secp384r1_addcarryx_u32(&x354, &x355, x353, x294, x330); ++ fiat_secp384r1_addcarryx_u32(&x356, &x357, x355, x296, x332); ++ fiat_secp384r1_addcarryx_u32(&x358, &x359, x357, x298, x334); ++ fiat_secp384r1_addcarryx_u32(&x360, &x361, x359, ((uint32_t)x299 + x275), ++ (x335 + x301)); ++ fiat_secp384r1_addcarryx_u32(&x362, &x363, 0x0, x338, (arg1[5])); ++ fiat_secp384r1_addcarryx_u32(&x364, &x365, x363, x340, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x366, &x367, x365, x342, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x368, &x369, x367, x344, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x370, &x371, x369, x346, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x348, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x350, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x352, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x354, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x356, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x358, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x360, 0x0); ++ fiat_secp384r1_mulx_u32(&x386, &x387, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x388, &x389, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x390, &x391, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x392, &x393, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x394, &x395, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x396, &x397, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x398, &x399, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x400, &x401, x362, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x402, &x403, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x404, &x405, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x406, &x407, 0x0, x403, x400); ++ fiat_secp384r1_addcarryx_u32(&x408, &x409, x407, x401, x398); ++ fiat_secp384r1_addcarryx_u32(&x410, &x411, x409, x399, x396); ++ fiat_secp384r1_addcarryx_u32(&x412, &x413, x411, x397, x394); ++ fiat_secp384r1_addcarryx_u32(&x414, &x415, x413, x395, x392); ++ fiat_secp384r1_addcarryx_u32(&x416, &x417, x415, x393, x390); ++ fiat_secp384r1_addcarryx_u32(&x418, &x419, x417, x391, x388); ++ fiat_secp384r1_addcarryx_u32(&x420, &x421, x419, x389, x386); ++ fiat_secp384r1_addcarryx_u32(&x422, &x423, 0x0, x362, x404); ++ fiat_secp384r1_addcarryx_u32(&x424, &x425, x423, x364, x405); ++ fiat_secp384r1_addcarryx_u32(&x426, &x427, x425, x366, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x428, &x429, x427, x368, x402); ++ fiat_secp384r1_addcarryx_u32(&x430, &x431, x429, x370, x406); ++ fiat_secp384r1_addcarryx_u32(&x432, &x433, x431, x372, x408); ++ fiat_secp384r1_addcarryx_u32(&x434, &x435, x433, x374, x410); ++ fiat_secp384r1_addcarryx_u32(&x436, &x437, x435, x376, x412); ++ fiat_secp384r1_addcarryx_u32(&x438, &x439, x437, x378, x414); ++ fiat_secp384r1_addcarryx_u32(&x440, &x441, x439, x380, x416); ++ fiat_secp384r1_addcarryx_u32(&x442, &x443, x441, x382, x418); ++ fiat_secp384r1_addcarryx_u32(&x444, &x445, x443, x384, x420); ++ fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, ((uint32_t)x385 + x361), ++ (x421 + x387)); ++ fiat_secp384r1_addcarryx_u32(&x448, &x449, 0x0, x424, (arg1[6])); ++ fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x426, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x428, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x430, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x432, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x434, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x436, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x438, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x440, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x442, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x444, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x470, &x471, x469, x446, 0x0); ++ fiat_secp384r1_mulx_u32(&x472, &x473, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x474, &x475, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x476, &x477, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x478, &x479, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x480, &x481, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x482, &x483, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x484, &x485, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x486, &x487, x448, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x488, &x489, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x490, &x491, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x492, &x493, 0x0, x489, x486); ++ fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x487, x484); ++ fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x485, x482); ++ fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x483, x480); ++ fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x481, x478); ++ fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x479, x476); ++ fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x477, x474); ++ fiat_secp384r1_addcarryx_u32(&x506, &x507, x505, x475, x472); ++ fiat_secp384r1_addcarryx_u32(&x508, &x509, 0x0, x448, x490); ++ fiat_secp384r1_addcarryx_u32(&x510, &x511, x509, x450, x491); ++ fiat_secp384r1_addcarryx_u32(&x512, &x513, x511, x452, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x514, &x515, x513, x454, x488); ++ fiat_secp384r1_addcarryx_u32(&x516, &x517, x515, x456, x492); ++ fiat_secp384r1_addcarryx_u32(&x518, &x519, x517, x458, x494); ++ fiat_secp384r1_addcarryx_u32(&x520, &x521, x519, x460, x496); ++ fiat_secp384r1_addcarryx_u32(&x522, &x523, x521, x462, x498); ++ fiat_secp384r1_addcarryx_u32(&x524, &x525, x523, x464, x500); ++ fiat_secp384r1_addcarryx_u32(&x526, &x527, x525, x466, x502); ++ fiat_secp384r1_addcarryx_u32(&x528, &x529, x527, x468, x504); ++ fiat_secp384r1_addcarryx_u32(&x530, &x531, x529, x470, x506); ++ fiat_secp384r1_addcarryx_u32(&x532, &x533, x531, ((uint32_t)x471 + x447), ++ (x507 + x473)); ++ fiat_secp384r1_addcarryx_u32(&x534, &x535, 0x0, x510, (arg1[7])); ++ fiat_secp384r1_addcarryx_u32(&x536, &x537, x535, x512, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x538, &x539, x537, x514, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x540, &x541, x539, x516, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x542, &x543, x541, x518, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x544, &x545, x543, x520, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x546, &x547, x545, x522, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x548, &x549, x547, x524, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x550, &x551, x549, x526, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x552, &x553, x551, x528, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x554, &x555, x553, x530, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x556, &x557, x555, x532, 0x0); ++ fiat_secp384r1_mulx_u32(&x558, &x559, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x560, &x561, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x562, &x563, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x564, &x565, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x566, &x567, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x568, &x569, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x570, &x571, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x572, &x573, x534, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x574, &x575, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x576, &x577, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x578, &x579, 0x0, x575, x572); ++ fiat_secp384r1_addcarryx_u32(&x580, &x581, x579, x573, x570); ++ fiat_secp384r1_addcarryx_u32(&x582, &x583, x581, x571, x568); ++ fiat_secp384r1_addcarryx_u32(&x584, &x585, x583, x569, x566); ++ fiat_secp384r1_addcarryx_u32(&x586, &x587, x585, x567, x564); ++ fiat_secp384r1_addcarryx_u32(&x588, &x589, x587, x565, x562); ++ fiat_secp384r1_addcarryx_u32(&x590, &x591, x589, x563, x560); ++ fiat_secp384r1_addcarryx_u32(&x592, &x593, x591, x561, x558); ++ fiat_secp384r1_addcarryx_u32(&x594, &x595, 0x0, x534, x576); ++ fiat_secp384r1_addcarryx_u32(&x596, &x597, x595, x536, x577); ++ fiat_secp384r1_addcarryx_u32(&x598, &x599, x597, x538, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x600, &x601, x599, x540, x574); ++ fiat_secp384r1_addcarryx_u32(&x602, &x603, x601, x542, x578); ++ fiat_secp384r1_addcarryx_u32(&x604, &x605, x603, x544, x580); ++ fiat_secp384r1_addcarryx_u32(&x606, &x607, x605, x546, x582); ++ fiat_secp384r1_addcarryx_u32(&x608, &x609, x607, x548, x584); ++ fiat_secp384r1_addcarryx_u32(&x610, &x611, x609, x550, x586); ++ fiat_secp384r1_addcarryx_u32(&x612, &x613, x611, x552, x588); ++ fiat_secp384r1_addcarryx_u32(&x614, &x615, x613, x554, x590); ++ fiat_secp384r1_addcarryx_u32(&x616, &x617, x615, x556, x592); ++ fiat_secp384r1_addcarryx_u32(&x618, &x619, x617, ((uint32_t)x557 + x533), ++ (x593 + x559)); ++ fiat_secp384r1_addcarryx_u32(&x620, &x621, 0x0, x596, (arg1[8])); ++ fiat_secp384r1_addcarryx_u32(&x622, &x623, x621, x598, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x624, &x625, x623, x600, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x626, &x627, x625, x602, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x628, &x629, x627, x604, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x630, &x631, x629, x606, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x632, &x633, x631, x608, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x634, &x635, x633, x610, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x636, &x637, x635, x612, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x638, &x639, x637, x614, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x640, &x641, x639, x616, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x642, &x643, x641, x618, 0x0); ++ fiat_secp384r1_mulx_u32(&x644, &x645, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x646, &x647, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x648, &x649, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x650, &x651, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x652, &x653, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x654, &x655, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x656, &x657, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x658, &x659, x620, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x660, &x661, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x662, &x663, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x664, &x665, 0x0, x661, x658); ++ fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x659, x656); ++ fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x657, x654); ++ fiat_secp384r1_addcarryx_u32(&x670, &x671, x669, x655, x652); ++ fiat_secp384r1_addcarryx_u32(&x672, &x673, x671, x653, x650); ++ fiat_secp384r1_addcarryx_u32(&x674, &x675, x673, x651, x648); ++ fiat_secp384r1_addcarryx_u32(&x676, &x677, x675, x649, x646); ++ fiat_secp384r1_addcarryx_u32(&x678, &x679, x677, x647, x644); ++ fiat_secp384r1_addcarryx_u32(&x680, &x681, 0x0, x620, x662); ++ fiat_secp384r1_addcarryx_u32(&x682, &x683, x681, x622, x663); ++ fiat_secp384r1_addcarryx_u32(&x684, &x685, x683, x624, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x686, &x687, x685, x626, x660); ++ fiat_secp384r1_addcarryx_u32(&x688, &x689, x687, x628, x664); ++ fiat_secp384r1_addcarryx_u32(&x690, &x691, x689, x630, x666); ++ fiat_secp384r1_addcarryx_u32(&x692, &x693, x691, x632, x668); ++ fiat_secp384r1_addcarryx_u32(&x694, &x695, x693, x634, x670); ++ fiat_secp384r1_addcarryx_u32(&x696, &x697, x695, x636, x672); ++ fiat_secp384r1_addcarryx_u32(&x698, &x699, x697, x638, x674); ++ fiat_secp384r1_addcarryx_u32(&x700, &x701, x699, x640, x676); ++ fiat_secp384r1_addcarryx_u32(&x702, &x703, x701, x642, x678); ++ fiat_secp384r1_addcarryx_u32(&x704, &x705, x703, ((uint32_t)x643 + x619), ++ (x679 + x645)); ++ fiat_secp384r1_addcarryx_u32(&x706, &x707, 0x0, x682, (arg1[9])); ++ fiat_secp384r1_addcarryx_u32(&x708, &x709, x707, x684, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x710, &x711, x709, x686, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x712, &x713, x711, x688, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x714, &x715, x713, x690, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x716, &x717, x715, x692, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x718, &x719, x717, x694, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x696, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x698, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x700, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x702, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x704, 0x0); ++ fiat_secp384r1_mulx_u32(&x730, &x731, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x732, &x733, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x734, &x735, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x736, &x737, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x738, &x739, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x740, &x741, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x742, &x743, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x744, &x745, x706, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x746, &x747, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x748, &x749, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x750, &x751, 0x0, x747, x744); ++ fiat_secp384r1_addcarryx_u32(&x752, &x753, x751, x745, x742); ++ fiat_secp384r1_addcarryx_u32(&x754, &x755, x753, x743, x740); ++ fiat_secp384r1_addcarryx_u32(&x756, &x757, x755, x741, x738); ++ fiat_secp384r1_addcarryx_u32(&x758, &x759, x757, x739, x736); ++ fiat_secp384r1_addcarryx_u32(&x760, &x761, x759, x737, x734); ++ fiat_secp384r1_addcarryx_u32(&x762, &x763, x761, x735, x732); ++ fiat_secp384r1_addcarryx_u32(&x764, &x765, x763, x733, x730); ++ fiat_secp384r1_addcarryx_u32(&x766, &x767, 0x0, x706, x748); ++ fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x708, x749); ++ fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x710, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x712, x746); ++ fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x714, x750); ++ fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x716, x752); ++ fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x718, x754); ++ fiat_secp384r1_addcarryx_u32(&x780, &x781, x779, x720, x756); ++ fiat_secp384r1_addcarryx_u32(&x782, &x783, x781, x722, x758); ++ fiat_secp384r1_addcarryx_u32(&x784, &x785, x783, x724, x760); ++ fiat_secp384r1_addcarryx_u32(&x786, &x787, x785, x726, x762); ++ fiat_secp384r1_addcarryx_u32(&x788, &x789, x787, x728, x764); ++ fiat_secp384r1_addcarryx_u32(&x790, &x791, x789, ((uint32_t)x729 + x705), ++ (x765 + x731)); ++ fiat_secp384r1_addcarryx_u32(&x792, &x793, 0x0, x768, (arg1[10])); ++ fiat_secp384r1_addcarryx_u32(&x794, &x795, x793, x770, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x796, &x797, x795, x772, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x798, &x799, x797, x774, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x800, &x801, x799, x776, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x802, &x803, x801, x778, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x804, &x805, x803, x780, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x806, &x807, x805, x782, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x808, &x809, x807, x784, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x810, &x811, x809, x786, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x812, &x813, x811, x788, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x814, &x815, x813, x790, 0x0); ++ fiat_secp384r1_mulx_u32(&x816, &x817, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x818, &x819, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x820, &x821, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x822, &x823, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x824, &x825, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x826, &x827, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x828, &x829, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x830, &x831, x792, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x832, &x833, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x834, &x835, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x836, &x837, 0x0, x833, x830); ++ fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x831, x828); ++ fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x829, x826); ++ fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x827, x824); ++ fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x825, x822); ++ fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x823, x820); ++ fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x821, x818); ++ fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x819, x816); ++ fiat_secp384r1_addcarryx_u32(&x852, &x853, 0x0, x792, x834); ++ fiat_secp384r1_addcarryx_u32(&x854, &x855, x853, x794, x835); ++ fiat_secp384r1_addcarryx_u32(&x856, &x857, x855, x796, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x858, &x859, x857, x798, x832); ++ fiat_secp384r1_addcarryx_u32(&x860, &x861, x859, x800, x836); ++ fiat_secp384r1_addcarryx_u32(&x862, &x863, x861, x802, x838); ++ fiat_secp384r1_addcarryx_u32(&x864, &x865, x863, x804, x840); ++ fiat_secp384r1_addcarryx_u32(&x866, &x867, x865, x806, x842); ++ fiat_secp384r1_addcarryx_u32(&x868, &x869, x867, x808, x844); ++ fiat_secp384r1_addcarryx_u32(&x870, &x871, x869, x810, x846); ++ fiat_secp384r1_addcarryx_u32(&x872, &x873, x871, x812, x848); ++ fiat_secp384r1_addcarryx_u32(&x874, &x875, x873, x814, x850); ++ fiat_secp384r1_addcarryx_u32(&x876, &x877, x875, ((uint32_t)x815 + x791), ++ (x851 + x817)); ++ fiat_secp384r1_addcarryx_u32(&x878, &x879, 0x0, x854, (arg1[11])); ++ fiat_secp384r1_addcarryx_u32(&x880, &x881, x879, x856, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x882, &x883, x881, x858, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x884, &x885, x883, x860, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x886, &x887, x885, x862, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x888, &x889, x887, x864, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x890, &x891, x889, x866, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x892, &x893, x891, x868, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x894, &x895, x893, x870, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x896, &x897, x895, x872, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x898, &x899, x897, x874, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x900, &x901, x899, x876, 0x0); ++ fiat_secp384r1_mulx_u32(&x902, &x903, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x904, &x905, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x906, &x907, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x908, &x909, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x910, &x911, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x912, &x913, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x914, &x915, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x916, &x917, x878, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x918, &x919, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x920, &x921, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x922, &x923, 0x0, x919, x916); ++ fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x917, x914); ++ fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x915, x912); ++ fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x913, x910); ++ fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x911, x908); ++ fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x909, x906); ++ fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x907, x904); ++ fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x905, x902); ++ fiat_secp384r1_addcarryx_u32(&x938, &x939, 0x0, x878, x920); ++ fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x880, x921); ++ fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x882, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x944, &x945, x943, x884, x918); ++ fiat_secp384r1_addcarryx_u32(&x946, &x947, x945, x886, x922); ++ fiat_secp384r1_addcarryx_u32(&x948, &x949, x947, x888, x924); ++ fiat_secp384r1_addcarryx_u32(&x950, &x951, x949, x890, x926); ++ fiat_secp384r1_addcarryx_u32(&x952, &x953, x951, x892, x928); ++ fiat_secp384r1_addcarryx_u32(&x954, &x955, x953, x894, x930); ++ fiat_secp384r1_addcarryx_u32(&x956, &x957, x955, x896, x932); ++ fiat_secp384r1_addcarryx_u32(&x958, &x959, x957, x898, x934); ++ fiat_secp384r1_addcarryx_u32(&x960, &x961, x959, x900, x936); ++ fiat_secp384r1_addcarryx_u32(&x962, &x963, x961, ((uint32_t)x901 + x877), ++ (x937 + x903)); ++ fiat_secp384r1_subborrowx_u32(&x964, &x965, 0x0, x940, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x966, &x967, x965, x942, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x968, &x969, x967, x944, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x970, &x971, x969, x946, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x972, &x973, x971, x948, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x974, &x975, x973, x950, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x976, &x977, x975, x952, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x978, &x979, x977, x954, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x980, &x981, x979, x956, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x982, &x983, x981, x958, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x984, &x985, x983, x960, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x986, &x987, x985, x962, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x988, &x989, x987, x963, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x990, x989, x964, x940); ++ fiat_secp384r1_cmovznz_u32(&x991, x989, x966, x942); ++ fiat_secp384r1_cmovznz_u32(&x992, x989, x968, x944); ++ fiat_secp384r1_cmovznz_u32(&x993, x989, x970, x946); ++ fiat_secp384r1_cmovznz_u32(&x994, x989, x972, x948); ++ fiat_secp384r1_cmovznz_u32(&x995, x989, x974, x950); ++ fiat_secp384r1_cmovznz_u32(&x996, x989, x976, x952); ++ fiat_secp384r1_cmovznz_u32(&x997, x989, x978, x954); ++ fiat_secp384r1_cmovznz_u32(&x998, x989, x980, x956); ++ fiat_secp384r1_cmovznz_u32(&x999, x989, x982, x958); ++ fiat_secp384r1_cmovznz_u32(&x1000, x989, x984, x960); ++ fiat_secp384r1_cmovznz_u32(&x1001, x989, x986, x962); ++ out1[0] = x990; ++ out1[1] = x991; ++ out1[2] = x992; ++ out1[3] = x993; ++ out1[4] = x994; ++ out1[5] = x995; ++ out1[6] = x996; ++ out1[7] = x997; ++ out1[8] = x998; ++ out1[9] = x999; ++ out1[10] = x1000; ++ out1[11] = x1001; ++} ++ ++/* ++ * The function fiat_secp384r1_to_montgomery translates a field element into the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_to_montgomery(uint32_t out1[12], ++ const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ uint32_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint32_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint32_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint32_t x36; ++ uint32_t x37; ++ uint32_t x38; ++ uint32_t x39; ++ uint32_t x40; ++ uint32_t x41; ++ uint32_t x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint32_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint32_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint32_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint32_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint32_t x61; ++ fiat_secp384r1_uint1 x62; ++ uint32_t x63; ++ fiat_secp384r1_uint1 x64; ++ uint32_t x65; ++ fiat_secp384r1_uint1 x66; ++ uint32_t x67; ++ fiat_secp384r1_uint1 x68; ++ uint32_t x69; ++ fiat_secp384r1_uint1 x70; ++ uint32_t x71; ++ fiat_secp384r1_uint1 x72; ++ uint32_t x73; ++ fiat_secp384r1_uint1 x74; ++ uint32_t x75; ++ fiat_secp384r1_uint1 x76; ++ uint32_t x77; ++ fiat_secp384r1_uint1 x78; ++ uint32_t x79; ++ fiat_secp384r1_uint1 x80; ++ uint32_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint32_t x83; ++ uint32_t x84; ++ uint32_t x85; ++ uint32_t x86; ++ uint32_t x87; ++ uint32_t x88; ++ uint32_t x89; ++ uint32_t x90; ++ uint32_t x91; ++ fiat_secp384r1_uint1 x92; ++ uint32_t x93; ++ fiat_secp384r1_uint1 x94; ++ uint32_t x95; ++ fiat_secp384r1_uint1 x96; ++ uint32_t x97; ++ fiat_secp384r1_uint1 x98; ++ uint32_t x99; ++ fiat_secp384r1_uint1 x100; ++ uint32_t x101; ++ fiat_secp384r1_uint1 x102; ++ uint32_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint32_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint32_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint32_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint32_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint32_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint32_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint32_t x117; ++ uint32_t x118; ++ uint32_t x119; ++ uint32_t x120; ++ uint32_t x121; ++ uint32_t x122; ++ uint32_t x123; ++ uint32_t x124; ++ uint32_t x125; ++ uint32_t x126; ++ uint32_t x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint32_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint32_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint32_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint32_t x145; ++ fiat_secp384r1_uint1 x146; ++ uint32_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint32_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint32_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint32_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint32_t x155; ++ fiat_secp384r1_uint1 x156; ++ uint32_t x157; ++ fiat_secp384r1_uint1 x158; ++ uint32_t x159; ++ fiat_secp384r1_uint1 x160; ++ uint32_t x161; ++ fiat_secp384r1_uint1 x162; ++ uint32_t x163; ++ fiat_secp384r1_uint1 x164; ++ uint32_t x165; ++ fiat_secp384r1_uint1 x166; ++ uint32_t x167; ++ fiat_secp384r1_uint1 x168; ++ uint32_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint32_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint32_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint32_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint32_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint32_t x179; ++ uint32_t x180; ++ uint32_t x181; ++ uint32_t x182; ++ uint32_t x183; ++ uint32_t x184; ++ uint32_t x185; ++ uint32_t x186; ++ uint32_t x187; ++ fiat_secp384r1_uint1 x188; ++ uint32_t x189; ++ fiat_secp384r1_uint1 x190; ++ uint32_t x191; ++ fiat_secp384r1_uint1 x192; ++ uint32_t x193; ++ fiat_secp384r1_uint1 x194; ++ uint32_t x195; ++ fiat_secp384r1_uint1 x196; ++ uint32_t x197; ++ fiat_secp384r1_uint1 x198; ++ uint32_t x199; ++ fiat_secp384r1_uint1 x200; ++ uint32_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint32_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint32_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint32_t x207; ++ fiat_secp384r1_uint1 x208; ++ uint32_t x209; ++ fiat_secp384r1_uint1 x210; ++ uint32_t x211; ++ fiat_secp384r1_uint1 x212; ++ uint32_t x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ uint32_t x217; ++ uint32_t x218; ++ uint32_t x219; ++ uint32_t x220; ++ uint32_t x221; ++ uint32_t x222; ++ uint32_t x223; ++ uint32_t x224; ++ uint32_t x225; ++ uint32_t x226; ++ uint32_t x227; ++ uint32_t x228; ++ uint32_t x229; ++ uint32_t x230; ++ uint32_t x231; ++ uint32_t x232; ++ uint32_t x233; ++ fiat_secp384r1_uint1 x234; ++ uint32_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint32_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint32_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint32_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint32_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint32_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint32_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint32_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint32_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint32_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint32_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint32_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint32_t x259; ++ fiat_secp384r1_uint1 x260; ++ uint32_t x261; ++ fiat_secp384r1_uint1 x262; ++ uint32_t x263; ++ fiat_secp384r1_uint1 x264; ++ uint32_t x265; ++ fiat_secp384r1_uint1 x266; ++ uint32_t x267; ++ fiat_secp384r1_uint1 x268; ++ uint32_t x269; ++ fiat_secp384r1_uint1 x270; ++ uint32_t x271; ++ fiat_secp384r1_uint1 x272; ++ uint32_t x273; ++ fiat_secp384r1_uint1 x274; ++ uint32_t x275; ++ uint32_t x276; ++ uint32_t x277; ++ uint32_t x278; ++ uint32_t x279; ++ uint32_t x280; ++ uint32_t x281; ++ uint32_t x282; ++ uint32_t x283; ++ fiat_secp384r1_uint1 x284; ++ uint32_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint32_t x287; ++ fiat_secp384r1_uint1 x288; ++ uint32_t x289; ++ fiat_secp384r1_uint1 x290; ++ uint32_t x291; ++ fiat_secp384r1_uint1 x292; ++ uint32_t x293; ++ fiat_secp384r1_uint1 x294; ++ uint32_t x295; ++ fiat_secp384r1_uint1 x296; ++ uint32_t x297; ++ fiat_secp384r1_uint1 x298; ++ uint32_t x299; ++ fiat_secp384r1_uint1 x300; ++ uint32_t x301; ++ fiat_secp384r1_uint1 x302; ++ uint32_t x303; ++ fiat_secp384r1_uint1 x304; ++ uint32_t x305; ++ fiat_secp384r1_uint1 x306; ++ uint32_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint32_t x309; ++ uint32_t x310; ++ uint32_t x311; ++ uint32_t x312; ++ uint32_t x313; ++ uint32_t x314; ++ uint32_t x315; ++ uint32_t x316; ++ uint32_t x317; ++ uint32_t x318; ++ uint32_t x319; ++ uint32_t x320; ++ uint32_t x321; ++ uint32_t x322; ++ uint32_t x323; ++ uint32_t x324; ++ uint32_t x325; ++ uint32_t x326; ++ uint32_t x327; ++ uint32_t x328; ++ uint32_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint32_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint32_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint32_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint32_t x337; ++ fiat_secp384r1_uint1 x338; ++ uint32_t x339; ++ fiat_secp384r1_uint1 x340; ++ uint32_t x341; ++ fiat_secp384r1_uint1 x342; ++ uint32_t x343; ++ fiat_secp384r1_uint1 x344; ++ uint32_t x345; ++ fiat_secp384r1_uint1 x346; ++ uint32_t x347; ++ fiat_secp384r1_uint1 x348; ++ uint32_t x349; ++ fiat_secp384r1_uint1 x350; ++ uint32_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint32_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint32_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint32_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint32_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint32_t x361; ++ fiat_secp384r1_uint1 x362; ++ uint32_t x363; ++ fiat_secp384r1_uint1 x364; ++ uint32_t x365; ++ fiat_secp384r1_uint1 x366; ++ uint32_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint32_t x369; ++ fiat_secp384r1_uint1 x370; ++ uint32_t x371; ++ uint32_t x372; ++ uint32_t x373; ++ uint32_t x374; ++ uint32_t x375; ++ uint32_t x376; ++ uint32_t x377; ++ uint32_t x378; ++ uint32_t x379; ++ fiat_secp384r1_uint1 x380; ++ uint32_t x381; ++ fiat_secp384r1_uint1 x382; ++ uint32_t x383; ++ fiat_secp384r1_uint1 x384; ++ uint32_t x385; ++ fiat_secp384r1_uint1 x386; ++ uint32_t x387; ++ fiat_secp384r1_uint1 x388; ++ uint32_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint32_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint32_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint32_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint32_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint32_t x399; ++ fiat_secp384r1_uint1 x400; ++ uint32_t x401; ++ fiat_secp384r1_uint1 x402; ++ uint32_t x403; ++ fiat_secp384r1_uint1 x404; ++ uint32_t x405; ++ uint32_t x406; ++ uint32_t x407; ++ uint32_t x408; ++ uint32_t x409; ++ uint32_t x410; ++ uint32_t x411; ++ uint32_t x412; ++ uint32_t x413; ++ uint32_t x414; ++ uint32_t x415; ++ uint32_t x416; ++ uint32_t x417; ++ uint32_t x418; ++ uint32_t x419; ++ uint32_t x420; ++ uint32_t x421; ++ uint32_t x422; ++ uint32_t x423; ++ uint32_t x424; ++ uint32_t x425; ++ fiat_secp384r1_uint1 x426; ++ uint32_t x427; ++ fiat_secp384r1_uint1 x428; ++ uint32_t x429; ++ fiat_secp384r1_uint1 x430; ++ uint32_t x431; ++ fiat_secp384r1_uint1 x432; ++ uint32_t x433; ++ fiat_secp384r1_uint1 x434; ++ uint32_t x435; ++ fiat_secp384r1_uint1 x436; ++ uint32_t x437; ++ fiat_secp384r1_uint1 x438; ++ uint32_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint32_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint32_t x443; ++ fiat_secp384r1_uint1 x444; ++ uint32_t x445; ++ fiat_secp384r1_uint1 x446; ++ uint32_t x447; ++ fiat_secp384r1_uint1 x448; ++ uint32_t x449; ++ fiat_secp384r1_uint1 x450; ++ uint32_t x451; ++ fiat_secp384r1_uint1 x452; ++ uint32_t x453; ++ fiat_secp384r1_uint1 x454; ++ uint32_t x455; ++ fiat_secp384r1_uint1 x456; ++ uint32_t x457; ++ fiat_secp384r1_uint1 x458; ++ uint32_t x459; ++ fiat_secp384r1_uint1 x460; ++ uint32_t x461; ++ fiat_secp384r1_uint1 x462; ++ uint32_t x463; ++ fiat_secp384r1_uint1 x464; ++ uint32_t x465; ++ fiat_secp384r1_uint1 x466; ++ uint32_t x467; ++ uint32_t x468; ++ uint32_t x469; ++ uint32_t x470; ++ uint32_t x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ fiat_secp384r1_uint1 x476; ++ uint32_t x477; ++ fiat_secp384r1_uint1 x478; ++ uint32_t x479; ++ fiat_secp384r1_uint1 x480; ++ uint32_t x481; ++ fiat_secp384r1_uint1 x482; ++ uint32_t x483; ++ fiat_secp384r1_uint1 x484; ++ uint32_t x485; ++ fiat_secp384r1_uint1 x486; ++ uint32_t x487; ++ fiat_secp384r1_uint1 x488; ++ uint32_t x489; ++ fiat_secp384r1_uint1 x490; ++ uint32_t x491; ++ fiat_secp384r1_uint1 x492; ++ uint32_t x493; ++ fiat_secp384r1_uint1 x494; ++ uint32_t x495; ++ fiat_secp384r1_uint1 x496; ++ uint32_t x497; ++ fiat_secp384r1_uint1 x498; ++ uint32_t x499; ++ fiat_secp384r1_uint1 x500; ++ uint32_t x501; ++ uint32_t x502; ++ uint32_t x503; ++ uint32_t x504; ++ uint32_t x505; ++ uint32_t x506; ++ uint32_t x507; ++ uint32_t x508; ++ uint32_t x509; ++ uint32_t x510; ++ uint32_t x511; ++ uint32_t x512; ++ uint32_t x513; ++ uint32_t x514; ++ uint32_t x515; ++ uint32_t x516; ++ uint32_t x517; ++ uint32_t x518; ++ uint32_t x519; ++ uint32_t x520; ++ uint32_t x521; ++ fiat_secp384r1_uint1 x522; ++ uint32_t x523; ++ fiat_secp384r1_uint1 x524; ++ uint32_t x525; ++ fiat_secp384r1_uint1 x526; ++ uint32_t x527; ++ fiat_secp384r1_uint1 x528; ++ uint32_t x529; ++ fiat_secp384r1_uint1 x530; ++ uint32_t x531; ++ fiat_secp384r1_uint1 x532; ++ uint32_t x533; ++ fiat_secp384r1_uint1 x534; ++ uint32_t x535; ++ fiat_secp384r1_uint1 x536; ++ uint32_t x537; ++ fiat_secp384r1_uint1 x538; ++ uint32_t x539; ++ fiat_secp384r1_uint1 x540; ++ uint32_t x541; ++ fiat_secp384r1_uint1 x542; ++ uint32_t x543; ++ fiat_secp384r1_uint1 x544; ++ uint32_t x545; ++ fiat_secp384r1_uint1 x546; ++ uint32_t x547; ++ fiat_secp384r1_uint1 x548; ++ uint32_t x549; ++ fiat_secp384r1_uint1 x550; ++ uint32_t x551; ++ fiat_secp384r1_uint1 x552; ++ uint32_t x553; ++ fiat_secp384r1_uint1 x554; ++ uint32_t x555; ++ fiat_secp384r1_uint1 x556; ++ uint32_t x557; ++ fiat_secp384r1_uint1 x558; ++ uint32_t x559; ++ fiat_secp384r1_uint1 x560; ++ uint32_t x561; ++ fiat_secp384r1_uint1 x562; ++ uint32_t x563; ++ uint32_t x564; ++ uint32_t x565; ++ uint32_t x566; ++ uint32_t x567; ++ uint32_t x568; ++ uint32_t x569; ++ uint32_t x570; ++ uint32_t x571; ++ fiat_secp384r1_uint1 x572; ++ uint32_t x573; ++ fiat_secp384r1_uint1 x574; ++ uint32_t x575; ++ fiat_secp384r1_uint1 x576; ++ uint32_t x577; ++ fiat_secp384r1_uint1 x578; ++ uint32_t x579; ++ fiat_secp384r1_uint1 x580; ++ uint32_t x581; ++ fiat_secp384r1_uint1 x582; ++ uint32_t x583; ++ fiat_secp384r1_uint1 x584; ++ uint32_t x585; ++ fiat_secp384r1_uint1 x586; ++ uint32_t x587; ++ fiat_secp384r1_uint1 x588; ++ uint32_t x589; ++ fiat_secp384r1_uint1 x590; ++ uint32_t x591; ++ fiat_secp384r1_uint1 x592; ++ uint32_t x593; ++ fiat_secp384r1_uint1 x594; ++ uint32_t x595; ++ fiat_secp384r1_uint1 x596; ++ uint32_t x597; ++ uint32_t x598; ++ uint32_t x599; ++ uint32_t x600; ++ uint32_t x601; ++ uint32_t x602; ++ uint32_t x603; ++ uint32_t x604; ++ uint32_t x605; ++ uint32_t x606; ++ uint32_t x607; ++ uint32_t x608; ++ uint32_t x609; ++ uint32_t x610; ++ uint32_t x611; ++ uint32_t x612; ++ uint32_t x613; ++ uint32_t x614; ++ uint32_t x615; ++ uint32_t x616; ++ uint32_t x617; ++ fiat_secp384r1_uint1 x618; ++ uint32_t x619; ++ fiat_secp384r1_uint1 x620; ++ uint32_t x621; ++ fiat_secp384r1_uint1 x622; ++ uint32_t x623; ++ fiat_secp384r1_uint1 x624; ++ uint32_t x625; ++ fiat_secp384r1_uint1 x626; ++ uint32_t x627; ++ fiat_secp384r1_uint1 x628; ++ uint32_t x629; ++ fiat_secp384r1_uint1 x630; ++ uint32_t x631; ++ fiat_secp384r1_uint1 x632; ++ uint32_t x633; ++ fiat_secp384r1_uint1 x634; ++ uint32_t x635; ++ fiat_secp384r1_uint1 x636; ++ uint32_t x637; ++ fiat_secp384r1_uint1 x638; ++ uint32_t x639; ++ fiat_secp384r1_uint1 x640; ++ uint32_t x641; ++ fiat_secp384r1_uint1 x642; ++ uint32_t x643; ++ fiat_secp384r1_uint1 x644; ++ uint32_t x645; ++ fiat_secp384r1_uint1 x646; ++ uint32_t x647; ++ fiat_secp384r1_uint1 x648; ++ uint32_t x649; ++ fiat_secp384r1_uint1 x650; ++ uint32_t x651; ++ fiat_secp384r1_uint1 x652; ++ uint32_t x653; ++ fiat_secp384r1_uint1 x654; ++ uint32_t x655; ++ fiat_secp384r1_uint1 x656; ++ uint32_t x657; ++ fiat_secp384r1_uint1 x658; ++ uint32_t x659; ++ uint32_t x660; ++ uint32_t x661; ++ uint32_t x662; ++ uint32_t x663; ++ uint32_t x664; ++ uint32_t x665; ++ uint32_t x666; ++ uint32_t x667; ++ fiat_secp384r1_uint1 x668; ++ uint32_t x669; ++ fiat_secp384r1_uint1 x670; ++ uint32_t x671; ++ fiat_secp384r1_uint1 x672; ++ uint32_t x673; ++ fiat_secp384r1_uint1 x674; ++ uint32_t x675; ++ fiat_secp384r1_uint1 x676; ++ uint32_t x677; ++ fiat_secp384r1_uint1 x678; ++ uint32_t x679; ++ fiat_secp384r1_uint1 x680; ++ uint32_t x681; ++ fiat_secp384r1_uint1 x682; ++ uint32_t x683; ++ fiat_secp384r1_uint1 x684; ++ uint32_t x685; ++ fiat_secp384r1_uint1 x686; ++ uint32_t x687; ++ fiat_secp384r1_uint1 x688; ++ uint32_t x689; ++ fiat_secp384r1_uint1 x690; ++ uint32_t x691; ++ fiat_secp384r1_uint1 x692; ++ uint32_t x693; ++ uint32_t x694; ++ uint32_t x695; ++ uint32_t x696; ++ uint32_t x697; ++ uint32_t x698; ++ uint32_t x699; ++ uint32_t x700; ++ uint32_t x701; ++ uint32_t x702; ++ uint32_t x703; ++ uint32_t x704; ++ uint32_t x705; ++ uint32_t x706; ++ uint32_t x707; ++ uint32_t x708; ++ uint32_t x709; ++ uint32_t x710; ++ uint32_t x711; ++ uint32_t x712; ++ uint32_t x713; ++ fiat_secp384r1_uint1 x714; ++ uint32_t x715; ++ fiat_secp384r1_uint1 x716; ++ uint32_t x717; ++ fiat_secp384r1_uint1 x718; ++ uint32_t x719; ++ fiat_secp384r1_uint1 x720; ++ uint32_t x721; ++ fiat_secp384r1_uint1 x722; ++ uint32_t x723; ++ fiat_secp384r1_uint1 x724; ++ uint32_t x725; ++ fiat_secp384r1_uint1 x726; ++ uint32_t x727; ++ fiat_secp384r1_uint1 x728; ++ uint32_t x729; ++ fiat_secp384r1_uint1 x730; ++ uint32_t x731; ++ fiat_secp384r1_uint1 x732; ++ uint32_t x733; ++ fiat_secp384r1_uint1 x734; ++ uint32_t x735; ++ fiat_secp384r1_uint1 x736; ++ uint32_t x737; ++ fiat_secp384r1_uint1 x738; ++ uint32_t x739; ++ fiat_secp384r1_uint1 x740; ++ uint32_t x741; ++ fiat_secp384r1_uint1 x742; ++ uint32_t x743; ++ fiat_secp384r1_uint1 x744; ++ uint32_t x745; ++ fiat_secp384r1_uint1 x746; ++ uint32_t x747; ++ fiat_secp384r1_uint1 x748; ++ uint32_t x749; ++ fiat_secp384r1_uint1 x750; ++ uint32_t x751; ++ fiat_secp384r1_uint1 x752; ++ uint32_t x753; ++ fiat_secp384r1_uint1 x754; ++ uint32_t x755; ++ uint32_t x756; ++ uint32_t x757; ++ uint32_t x758; ++ uint32_t x759; ++ uint32_t x760; ++ uint32_t x761; ++ uint32_t x762; ++ uint32_t x763; ++ fiat_secp384r1_uint1 x764; ++ uint32_t x765; ++ fiat_secp384r1_uint1 x766; ++ uint32_t x767; ++ fiat_secp384r1_uint1 x768; ++ uint32_t x769; ++ fiat_secp384r1_uint1 x770; ++ uint32_t x771; ++ fiat_secp384r1_uint1 x772; ++ uint32_t x773; ++ fiat_secp384r1_uint1 x774; ++ uint32_t x775; ++ fiat_secp384r1_uint1 x776; ++ uint32_t x777; ++ fiat_secp384r1_uint1 x778; ++ uint32_t x779; ++ fiat_secp384r1_uint1 x780; ++ uint32_t x781; ++ fiat_secp384r1_uint1 x782; ++ uint32_t x783; ++ fiat_secp384r1_uint1 x784; ++ uint32_t x785; ++ fiat_secp384r1_uint1 x786; ++ uint32_t x787; ++ fiat_secp384r1_uint1 x788; ++ uint32_t x789; ++ uint32_t x790; ++ uint32_t x791; ++ uint32_t x792; ++ uint32_t x793; ++ uint32_t x794; ++ uint32_t x795; ++ uint32_t x796; ++ uint32_t x797; ++ uint32_t x798; ++ uint32_t x799; ++ uint32_t x800; ++ uint32_t x801; ++ uint32_t x802; ++ uint32_t x803; ++ uint32_t x804; ++ uint32_t x805; ++ uint32_t x806; ++ uint32_t x807; ++ uint32_t x808; ++ uint32_t x809; ++ fiat_secp384r1_uint1 x810; ++ uint32_t x811; ++ fiat_secp384r1_uint1 x812; ++ uint32_t x813; ++ fiat_secp384r1_uint1 x814; ++ uint32_t x815; ++ fiat_secp384r1_uint1 x816; ++ uint32_t x817; ++ fiat_secp384r1_uint1 x818; ++ uint32_t x819; ++ fiat_secp384r1_uint1 x820; ++ uint32_t x821; ++ fiat_secp384r1_uint1 x822; ++ uint32_t x823; ++ fiat_secp384r1_uint1 x824; ++ uint32_t x825; ++ fiat_secp384r1_uint1 x826; ++ uint32_t x827; ++ fiat_secp384r1_uint1 x828; ++ uint32_t x829; ++ fiat_secp384r1_uint1 x830; ++ uint32_t x831; ++ fiat_secp384r1_uint1 x832; ++ uint32_t x833; ++ fiat_secp384r1_uint1 x834; ++ uint32_t x835; ++ fiat_secp384r1_uint1 x836; ++ uint32_t x837; ++ fiat_secp384r1_uint1 x838; ++ uint32_t x839; ++ fiat_secp384r1_uint1 x840; ++ uint32_t x841; ++ fiat_secp384r1_uint1 x842; ++ uint32_t x843; ++ fiat_secp384r1_uint1 x844; ++ uint32_t x845; ++ fiat_secp384r1_uint1 x846; ++ uint32_t x847; ++ fiat_secp384r1_uint1 x848; ++ uint32_t x849; ++ fiat_secp384r1_uint1 x850; ++ uint32_t x851; ++ uint32_t x852; ++ uint32_t x853; ++ uint32_t x854; ++ uint32_t x855; ++ uint32_t x856; ++ uint32_t x857; ++ uint32_t x858; ++ uint32_t x859; ++ fiat_secp384r1_uint1 x860; ++ uint32_t x861; ++ fiat_secp384r1_uint1 x862; ++ uint32_t x863; ++ fiat_secp384r1_uint1 x864; ++ uint32_t x865; ++ fiat_secp384r1_uint1 x866; ++ uint32_t x867; ++ fiat_secp384r1_uint1 x868; ++ uint32_t x869; ++ fiat_secp384r1_uint1 x870; ++ uint32_t x871; ++ fiat_secp384r1_uint1 x872; ++ uint32_t x873; ++ fiat_secp384r1_uint1 x874; ++ uint32_t x875; ++ fiat_secp384r1_uint1 x876; ++ uint32_t x877; ++ fiat_secp384r1_uint1 x878; ++ uint32_t x879; ++ fiat_secp384r1_uint1 x880; ++ uint32_t x881; ++ fiat_secp384r1_uint1 x882; ++ uint32_t x883; ++ fiat_secp384r1_uint1 x884; ++ uint32_t x885; ++ uint32_t x886; ++ uint32_t x887; ++ uint32_t x888; ++ uint32_t x889; ++ uint32_t x890; ++ uint32_t x891; ++ uint32_t x892; ++ uint32_t x893; ++ uint32_t x894; ++ uint32_t x895; ++ uint32_t x896; ++ uint32_t x897; ++ uint32_t x898; ++ uint32_t x899; ++ uint32_t x900; ++ uint32_t x901; ++ uint32_t x902; ++ uint32_t x903; ++ uint32_t x904; ++ uint32_t x905; ++ fiat_secp384r1_uint1 x906; ++ uint32_t x907; ++ fiat_secp384r1_uint1 x908; ++ uint32_t x909; ++ fiat_secp384r1_uint1 x910; ++ uint32_t x911; ++ fiat_secp384r1_uint1 x912; ++ uint32_t x913; ++ fiat_secp384r1_uint1 x914; ++ uint32_t x915; ++ fiat_secp384r1_uint1 x916; ++ uint32_t x917; ++ fiat_secp384r1_uint1 x918; ++ uint32_t x919; ++ fiat_secp384r1_uint1 x920; ++ uint32_t x921; ++ fiat_secp384r1_uint1 x922; ++ uint32_t x923; ++ fiat_secp384r1_uint1 x924; ++ uint32_t x925; ++ fiat_secp384r1_uint1 x926; ++ uint32_t x927; ++ fiat_secp384r1_uint1 x928; ++ uint32_t x929; ++ fiat_secp384r1_uint1 x930; ++ uint32_t x931; ++ fiat_secp384r1_uint1 x932; ++ uint32_t x933; ++ fiat_secp384r1_uint1 x934; ++ uint32_t x935; ++ fiat_secp384r1_uint1 x936; ++ uint32_t x937; ++ fiat_secp384r1_uint1 x938; ++ uint32_t x939; ++ fiat_secp384r1_uint1 x940; ++ uint32_t x941; ++ fiat_secp384r1_uint1 x942; ++ uint32_t x943; ++ fiat_secp384r1_uint1 x944; ++ uint32_t x945; ++ fiat_secp384r1_uint1 x946; ++ uint32_t x947; ++ uint32_t x948; ++ uint32_t x949; ++ uint32_t x950; ++ uint32_t x951; ++ uint32_t x952; ++ uint32_t x953; ++ uint32_t x954; ++ uint32_t x955; ++ fiat_secp384r1_uint1 x956; ++ uint32_t x957; ++ fiat_secp384r1_uint1 x958; ++ uint32_t x959; ++ fiat_secp384r1_uint1 x960; ++ uint32_t x961; ++ fiat_secp384r1_uint1 x962; ++ uint32_t x963; ++ fiat_secp384r1_uint1 x964; ++ uint32_t x965; ++ fiat_secp384r1_uint1 x966; ++ uint32_t x967; ++ fiat_secp384r1_uint1 x968; ++ uint32_t x969; ++ fiat_secp384r1_uint1 x970; ++ uint32_t x971; ++ fiat_secp384r1_uint1 x972; ++ uint32_t x973; ++ fiat_secp384r1_uint1 x974; ++ uint32_t x975; ++ fiat_secp384r1_uint1 x976; ++ uint32_t x977; ++ fiat_secp384r1_uint1 x978; ++ uint32_t x979; ++ fiat_secp384r1_uint1 x980; ++ uint32_t x981; ++ uint32_t x982; ++ uint32_t x983; ++ uint32_t x984; ++ uint32_t x985; ++ uint32_t x986; ++ uint32_t x987; ++ uint32_t x988; ++ uint32_t x989; ++ uint32_t x990; ++ uint32_t x991; ++ uint32_t x992; ++ uint32_t x993; ++ uint32_t x994; ++ uint32_t x995; ++ uint32_t x996; ++ uint32_t x997; ++ uint32_t x998; ++ uint32_t x999; ++ uint32_t x1000; ++ uint32_t x1001; ++ fiat_secp384r1_uint1 x1002; ++ uint32_t x1003; ++ fiat_secp384r1_uint1 x1004; ++ uint32_t x1005; ++ fiat_secp384r1_uint1 x1006; ++ uint32_t x1007; ++ fiat_secp384r1_uint1 x1008; ++ uint32_t x1009; ++ fiat_secp384r1_uint1 x1010; ++ uint32_t x1011; ++ fiat_secp384r1_uint1 x1012; ++ uint32_t x1013; ++ fiat_secp384r1_uint1 x1014; ++ uint32_t x1015; ++ fiat_secp384r1_uint1 x1016; ++ uint32_t x1017; ++ fiat_secp384r1_uint1 x1018; ++ uint32_t x1019; ++ fiat_secp384r1_uint1 x1020; ++ uint32_t x1021; ++ fiat_secp384r1_uint1 x1022; ++ uint32_t x1023; ++ fiat_secp384r1_uint1 x1024; ++ uint32_t x1025; ++ fiat_secp384r1_uint1 x1026; ++ uint32_t x1027; ++ fiat_secp384r1_uint1 x1028; ++ uint32_t x1029; ++ fiat_secp384r1_uint1 x1030; ++ uint32_t x1031; ++ fiat_secp384r1_uint1 x1032; ++ uint32_t x1033; ++ fiat_secp384r1_uint1 x1034; ++ uint32_t x1035; ++ fiat_secp384r1_uint1 x1036; ++ uint32_t x1037; ++ fiat_secp384r1_uint1 x1038; ++ uint32_t x1039; ++ fiat_secp384r1_uint1 x1040; ++ uint32_t x1041; ++ fiat_secp384r1_uint1 x1042; ++ uint32_t x1043; ++ uint32_t x1044; ++ uint32_t x1045; ++ uint32_t x1046; ++ uint32_t x1047; ++ uint32_t x1048; ++ uint32_t x1049; ++ uint32_t x1050; ++ uint32_t x1051; ++ fiat_secp384r1_uint1 x1052; ++ uint32_t x1053; ++ fiat_secp384r1_uint1 x1054; ++ uint32_t x1055; ++ fiat_secp384r1_uint1 x1056; ++ uint32_t x1057; ++ fiat_secp384r1_uint1 x1058; ++ uint32_t x1059; ++ fiat_secp384r1_uint1 x1060; ++ uint32_t x1061; ++ fiat_secp384r1_uint1 x1062; ++ uint32_t x1063; ++ fiat_secp384r1_uint1 x1064; ++ uint32_t x1065; ++ fiat_secp384r1_uint1 x1066; ++ uint32_t x1067; ++ fiat_secp384r1_uint1 x1068; ++ uint32_t x1069; ++ fiat_secp384r1_uint1 x1070; ++ uint32_t x1071; ++ fiat_secp384r1_uint1 x1072; ++ uint32_t x1073; ++ fiat_secp384r1_uint1 x1074; ++ uint32_t x1075; ++ fiat_secp384r1_uint1 x1076; ++ uint32_t x1077; ++ uint32_t x1078; ++ uint32_t x1079; ++ uint32_t x1080; ++ uint32_t x1081; ++ uint32_t x1082; ++ uint32_t x1083; ++ uint32_t x1084; ++ uint32_t x1085; ++ uint32_t x1086; ++ uint32_t x1087; ++ uint32_t x1088; ++ uint32_t x1089; ++ uint32_t x1090; ++ uint32_t x1091; ++ uint32_t x1092; ++ uint32_t x1093; ++ uint32_t x1094; ++ uint32_t x1095; ++ uint32_t x1096; ++ uint32_t x1097; ++ fiat_secp384r1_uint1 x1098; ++ uint32_t x1099; ++ fiat_secp384r1_uint1 x1100; ++ uint32_t x1101; ++ fiat_secp384r1_uint1 x1102; ++ uint32_t x1103; ++ fiat_secp384r1_uint1 x1104; ++ uint32_t x1105; ++ fiat_secp384r1_uint1 x1106; ++ uint32_t x1107; ++ fiat_secp384r1_uint1 x1108; ++ uint32_t x1109; ++ fiat_secp384r1_uint1 x1110; ++ uint32_t x1111; ++ fiat_secp384r1_uint1 x1112; ++ uint32_t x1113; ++ fiat_secp384r1_uint1 x1114; ++ uint32_t x1115; ++ fiat_secp384r1_uint1 x1116; ++ uint32_t x1117; ++ fiat_secp384r1_uint1 x1118; ++ uint32_t x1119; ++ fiat_secp384r1_uint1 x1120; ++ uint32_t x1121; ++ fiat_secp384r1_uint1 x1122; ++ uint32_t x1123; ++ fiat_secp384r1_uint1 x1124; ++ uint32_t x1125; ++ fiat_secp384r1_uint1 x1126; ++ uint32_t x1127; ++ fiat_secp384r1_uint1 x1128; ++ uint32_t x1129; ++ fiat_secp384r1_uint1 x1130; ++ uint32_t x1131; ++ fiat_secp384r1_uint1 x1132; ++ uint32_t x1133; ++ fiat_secp384r1_uint1 x1134; ++ uint32_t x1135; ++ fiat_secp384r1_uint1 x1136; ++ uint32_t x1137; ++ fiat_secp384r1_uint1 x1138; ++ uint32_t x1139; ++ fiat_secp384r1_uint1 x1140; ++ uint32_t x1141; ++ fiat_secp384r1_uint1 x1142; ++ uint32_t x1143; ++ fiat_secp384r1_uint1 x1144; ++ uint32_t x1145; ++ fiat_secp384r1_uint1 x1146; ++ uint32_t x1147; ++ fiat_secp384r1_uint1 x1148; ++ uint32_t x1149; ++ fiat_secp384r1_uint1 x1150; ++ uint32_t x1151; ++ fiat_secp384r1_uint1 x1152; ++ uint32_t x1153; ++ fiat_secp384r1_uint1 x1154; ++ uint32_t x1155; ++ fiat_secp384r1_uint1 x1156; ++ uint32_t x1157; ++ fiat_secp384r1_uint1 x1158; ++ uint32_t x1159; ++ fiat_secp384r1_uint1 x1160; ++ uint32_t x1161; ++ fiat_secp384r1_uint1 x1162; ++ uint32_t x1163; ++ fiat_secp384r1_uint1 x1164; ++ uint32_t x1165; ++ uint32_t x1166; ++ uint32_t x1167; ++ uint32_t x1168; ++ uint32_t x1169; ++ uint32_t x1170; ++ uint32_t x1171; ++ uint32_t x1172; ++ uint32_t x1173; ++ uint32_t x1174; ++ uint32_t x1175; ++ uint32_t x1176; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[6]); ++ x7 = (arg1[7]); ++ x8 = (arg1[8]); ++ x9 = (arg1[9]); ++ x10 = (arg1[10]); ++ x11 = (arg1[11]); ++ x12 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x13, &x14, x12, 0x2); ++ fiat_secp384r1_mulx_u32(&x15, &x16, x12, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x17, &x18, x12, 0x2); ++ fiat_secp384r1_mulx_u32(&x19, &x20, x12, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x21, &x22, 0x0, (fiat_secp384r1_uint1)x14, ++ x12); ++ fiat_secp384r1_mulx_u32(&x23, &x24, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x25, &x26, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x27, &x28, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x29, &x30, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x31, &x32, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x33, &x34, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x35, &x36, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x37, &x38, x12, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x39, &x40, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x41, &x42, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x43, &x44, 0x0, x40, x37); ++ fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x38, x35); ++ fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x36, x33); ++ fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x34, x31); ++ fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x32, x29); ++ fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x30, x27); ++ fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x28, x25); ++ fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x26, x23); ++ fiat_secp384r1_addcarryx_u32(&x59, &x60, 0x0, x12, x41); ++ fiat_secp384r1_addcarryx_u32(&x61, &x62, x60, x19, x42); ++ fiat_secp384r1_addcarryx_u32(&x63, &x64, 0x0, x17, x39); ++ fiat_secp384r1_addcarryx_u32(&x65, &x66, x64, (fiat_secp384r1_uint1)x18, ++ x43); ++ fiat_secp384r1_addcarryx_u32(&x67, &x68, x66, x15, x45); ++ fiat_secp384r1_addcarryx_u32(&x69, &x70, x68, x16, x47); ++ fiat_secp384r1_addcarryx_u32(&x71, &x72, x70, x13, x49); ++ fiat_secp384r1_addcarryx_u32(&x73, &x74, x72, x21, x51); ++ fiat_secp384r1_addcarryx_u32(&x75, &x76, x74, x22, x53); ++ fiat_secp384r1_addcarryx_u32(&x77, &x78, x76, 0x0, x55); ++ fiat_secp384r1_addcarryx_u32(&x79, &x80, x78, 0x0, x57); ++ fiat_secp384r1_addcarryx_u32(&x81, &x82, x80, 0x0, (x58 + x24)); ++ fiat_secp384r1_mulx_u32(&x83, &x84, x1, 0x2); ++ fiat_secp384r1_mulx_u32(&x85, &x86, x1, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x87, &x88, x1, 0x2); ++ fiat_secp384r1_mulx_u32(&x89, &x90, x1, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x91, &x92, 0x0, (fiat_secp384r1_uint1)x84, ++ x1); ++ fiat_secp384r1_addcarryx_u32(&x93, &x94, 0x0, x61, x1); ++ fiat_secp384r1_addcarryx_u32(&x95, &x96, x94, (x62 + x20), x89); ++ fiat_secp384r1_addcarryx_u32(&x97, &x98, x96, x63, x90); ++ fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x65, x87); ++ fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x67, ++ (fiat_secp384r1_uint1)x88); ++ fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x69, x85); ++ fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x71, x86); ++ fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x73, x83); ++ fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x75, x91); ++ fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x77, x92); ++ fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x79, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x81, 0x0); ++ fiat_secp384r1_mulx_u32(&x117, &x118, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x119, &x120, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x121, &x122, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x123, &x124, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x125, &x126, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x127, &x128, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x129, &x130, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x131, &x132, x93, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x133, &x134, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x135, &x136, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x137, &x138, 0x0, x134, x131); ++ fiat_secp384r1_addcarryx_u32(&x139, &x140, x138, x132, x129); ++ fiat_secp384r1_addcarryx_u32(&x141, &x142, x140, x130, x127); ++ fiat_secp384r1_addcarryx_u32(&x143, &x144, x142, x128, x125); ++ fiat_secp384r1_addcarryx_u32(&x145, &x146, x144, x126, x123); ++ fiat_secp384r1_addcarryx_u32(&x147, &x148, x146, x124, x121); ++ fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x122, x119); ++ fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x120, x117); ++ fiat_secp384r1_addcarryx_u32(&x153, &x154, 0x0, x93, x135); ++ fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x95, x136); ++ fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x97, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x99, x133); ++ fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x101, x137); ++ fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x103, x139); ++ fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x105, x141); ++ fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x107, x143); ++ fiat_secp384r1_addcarryx_u32(&x169, &x170, x168, x109, x145); ++ fiat_secp384r1_addcarryx_u32(&x171, &x172, x170, x111, x147); ++ fiat_secp384r1_addcarryx_u32(&x173, &x174, x172, x113, x149); ++ fiat_secp384r1_addcarryx_u32(&x175, &x176, x174, x115, x151); ++ fiat_secp384r1_addcarryx_u32(&x177, &x178, x176, ((uint32_t)x116 + x82), ++ (x152 + x118)); ++ fiat_secp384r1_mulx_u32(&x179, &x180, x2, 0x2); ++ fiat_secp384r1_mulx_u32(&x181, &x182, x2, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x183, &x184, x2, 0x2); ++ fiat_secp384r1_mulx_u32(&x185, &x186, x2, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x187, &x188, 0x0, (fiat_secp384r1_uint1)x180, ++ x2); ++ fiat_secp384r1_addcarryx_u32(&x189, &x190, 0x0, x155, x2); ++ fiat_secp384r1_addcarryx_u32(&x191, &x192, x190, x157, x185); ++ fiat_secp384r1_addcarryx_u32(&x193, &x194, x192, x159, x186); ++ fiat_secp384r1_addcarryx_u32(&x195, &x196, x194, x161, x183); ++ fiat_secp384r1_addcarryx_u32(&x197, &x198, x196, x163, ++ (fiat_secp384r1_uint1)x184); ++ fiat_secp384r1_addcarryx_u32(&x199, &x200, x198, x165, x181); ++ fiat_secp384r1_addcarryx_u32(&x201, &x202, x200, x167, x182); ++ fiat_secp384r1_addcarryx_u32(&x203, &x204, x202, x169, x179); ++ fiat_secp384r1_addcarryx_u32(&x205, &x206, x204, x171, x187); ++ fiat_secp384r1_addcarryx_u32(&x207, &x208, x206, x173, x188); ++ fiat_secp384r1_addcarryx_u32(&x209, &x210, x208, x175, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x211, &x212, x210, x177, 0x0); ++ fiat_secp384r1_mulx_u32(&x213, &x214, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x215, &x216, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x217, &x218, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x219, &x220, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x221, &x222, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x223, &x224, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x225, &x226, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x227, &x228, x189, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x229, &x230, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x231, &x232, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x230, x227); ++ fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x228, x225); ++ fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x226, x223); ++ fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x224, x221); ++ fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x222, x219); ++ fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x220, x217); ++ fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x218, x215); ++ fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x216, x213); ++ fiat_secp384r1_addcarryx_u32(&x249, &x250, 0x0, x189, x231); ++ fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x191, x232); ++ fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x193, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x195, x229); ++ fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x197, x233); ++ fiat_secp384r1_addcarryx_u32(&x259, &x260, x258, x199, x235); ++ fiat_secp384r1_addcarryx_u32(&x261, &x262, x260, x201, x237); ++ fiat_secp384r1_addcarryx_u32(&x263, &x264, x262, x203, x239); ++ fiat_secp384r1_addcarryx_u32(&x265, &x266, x264, x205, x241); ++ fiat_secp384r1_addcarryx_u32(&x267, &x268, x266, x207, x243); ++ fiat_secp384r1_addcarryx_u32(&x269, &x270, x268, x209, x245); ++ fiat_secp384r1_addcarryx_u32(&x271, &x272, x270, x211, x247); ++ fiat_secp384r1_addcarryx_u32(&x273, &x274, x272, ((uint32_t)x212 + x178), ++ (x248 + x214)); ++ fiat_secp384r1_mulx_u32(&x275, &x276, x3, 0x2); ++ fiat_secp384r1_mulx_u32(&x277, &x278, x3, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x279, &x280, x3, 0x2); ++ fiat_secp384r1_mulx_u32(&x281, &x282, x3, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x283, &x284, 0x0, (fiat_secp384r1_uint1)x276, ++ x3); ++ fiat_secp384r1_addcarryx_u32(&x285, &x286, 0x0, x251, x3); ++ fiat_secp384r1_addcarryx_u32(&x287, &x288, x286, x253, x281); ++ fiat_secp384r1_addcarryx_u32(&x289, &x290, x288, x255, x282); ++ fiat_secp384r1_addcarryx_u32(&x291, &x292, x290, x257, x279); ++ fiat_secp384r1_addcarryx_u32(&x293, &x294, x292, x259, ++ (fiat_secp384r1_uint1)x280); ++ fiat_secp384r1_addcarryx_u32(&x295, &x296, x294, x261, x277); ++ fiat_secp384r1_addcarryx_u32(&x297, &x298, x296, x263, x278); ++ fiat_secp384r1_addcarryx_u32(&x299, &x300, x298, x265, x275); ++ fiat_secp384r1_addcarryx_u32(&x301, &x302, x300, x267, x283); ++ fiat_secp384r1_addcarryx_u32(&x303, &x304, x302, x269, x284); ++ fiat_secp384r1_addcarryx_u32(&x305, &x306, x304, x271, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x307, &x308, x306, x273, 0x0); ++ fiat_secp384r1_mulx_u32(&x309, &x310, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x311, &x312, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x313, &x314, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x315, &x316, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x317, &x318, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x319, &x320, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x321, &x322, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x323, &x324, x285, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x325, &x326, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x327, &x328, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x329, &x330, 0x0, x326, x323); ++ fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x324, x321); ++ fiat_secp384r1_addcarryx_u32(&x333, &x334, x332, x322, x319); ++ fiat_secp384r1_addcarryx_u32(&x335, &x336, x334, x320, x317); ++ fiat_secp384r1_addcarryx_u32(&x337, &x338, x336, x318, x315); ++ fiat_secp384r1_addcarryx_u32(&x339, &x340, x338, x316, x313); ++ fiat_secp384r1_addcarryx_u32(&x341, &x342, x340, x314, x311); ++ fiat_secp384r1_addcarryx_u32(&x343, &x344, x342, x312, x309); ++ fiat_secp384r1_addcarryx_u32(&x345, &x346, 0x0, x285, x327); ++ fiat_secp384r1_addcarryx_u32(&x347, &x348, x346, x287, x328); ++ fiat_secp384r1_addcarryx_u32(&x349, &x350, x348, x289, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x351, &x352, x350, x291, x325); ++ fiat_secp384r1_addcarryx_u32(&x353, &x354, x352, x293, x329); ++ fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x295, x331); ++ fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x297, x333); ++ fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x299, x335); ++ fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x301, x337); ++ fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x303, x339); ++ fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x305, x341); ++ fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x307, x343); ++ fiat_secp384r1_addcarryx_u32(&x369, &x370, x368, ((uint32_t)x308 + x274), ++ (x344 + x310)); ++ fiat_secp384r1_mulx_u32(&x371, &x372, x4, 0x2); ++ fiat_secp384r1_mulx_u32(&x373, &x374, x4, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x375, &x376, x4, 0x2); ++ fiat_secp384r1_mulx_u32(&x377, &x378, x4, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x379, &x380, 0x0, (fiat_secp384r1_uint1)x372, ++ x4); ++ fiat_secp384r1_addcarryx_u32(&x381, &x382, 0x0, x347, x4); ++ fiat_secp384r1_addcarryx_u32(&x383, &x384, x382, x349, x377); ++ fiat_secp384r1_addcarryx_u32(&x385, &x386, x384, x351, x378); ++ fiat_secp384r1_addcarryx_u32(&x387, &x388, x386, x353, x375); ++ fiat_secp384r1_addcarryx_u32(&x389, &x390, x388, x355, ++ (fiat_secp384r1_uint1)x376); ++ fiat_secp384r1_addcarryx_u32(&x391, &x392, x390, x357, x373); ++ fiat_secp384r1_addcarryx_u32(&x393, &x394, x392, x359, x374); ++ fiat_secp384r1_addcarryx_u32(&x395, &x396, x394, x361, x371); ++ fiat_secp384r1_addcarryx_u32(&x397, &x398, x396, x363, x379); ++ fiat_secp384r1_addcarryx_u32(&x399, &x400, x398, x365, x380); ++ fiat_secp384r1_addcarryx_u32(&x401, &x402, x400, x367, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x403, &x404, x402, x369, 0x0); ++ fiat_secp384r1_mulx_u32(&x405, &x406, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x407, &x408, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x409, &x410, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x411, &x412, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x413, &x414, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x415, &x416, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x417, &x418, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x419, &x420, x381, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x421, &x422, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x423, &x424, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x425, &x426, 0x0, x422, x419); ++ fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x420, x417); ++ fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x418, x415); ++ fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x416, x413); ++ fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x414, x411); ++ fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x412, x409); ++ fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x410, x407); ++ fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x408, x405); ++ fiat_secp384r1_addcarryx_u32(&x441, &x442, 0x0, x381, x423); ++ fiat_secp384r1_addcarryx_u32(&x443, &x444, x442, x383, x424); ++ fiat_secp384r1_addcarryx_u32(&x445, &x446, x444, x385, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x447, &x448, x446, x387, x421); ++ fiat_secp384r1_addcarryx_u32(&x449, &x450, x448, x389, x425); ++ fiat_secp384r1_addcarryx_u32(&x451, &x452, x450, x391, x427); ++ fiat_secp384r1_addcarryx_u32(&x453, &x454, x452, x393, x429); ++ fiat_secp384r1_addcarryx_u32(&x455, &x456, x454, x395, x431); ++ fiat_secp384r1_addcarryx_u32(&x457, &x458, x456, x397, x433); ++ fiat_secp384r1_addcarryx_u32(&x459, &x460, x458, x399, x435); ++ fiat_secp384r1_addcarryx_u32(&x461, &x462, x460, x401, x437); ++ fiat_secp384r1_addcarryx_u32(&x463, &x464, x462, x403, x439); ++ fiat_secp384r1_addcarryx_u32(&x465, &x466, x464, ((uint32_t)x404 + x370), ++ (x440 + x406)); ++ fiat_secp384r1_mulx_u32(&x467, &x468, x5, 0x2); ++ fiat_secp384r1_mulx_u32(&x469, &x470, x5, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x471, &x472, x5, 0x2); ++ fiat_secp384r1_mulx_u32(&x473, &x474, x5, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x475, &x476, 0x0, (fiat_secp384r1_uint1)x468, ++ x5); ++ fiat_secp384r1_addcarryx_u32(&x477, &x478, 0x0, x443, x5); ++ fiat_secp384r1_addcarryx_u32(&x479, &x480, x478, x445, x473); ++ fiat_secp384r1_addcarryx_u32(&x481, &x482, x480, x447, x474); ++ fiat_secp384r1_addcarryx_u32(&x483, &x484, x482, x449, x471); ++ fiat_secp384r1_addcarryx_u32(&x485, &x486, x484, x451, ++ (fiat_secp384r1_uint1)x472); ++ fiat_secp384r1_addcarryx_u32(&x487, &x488, x486, x453, x469); ++ fiat_secp384r1_addcarryx_u32(&x489, &x490, x488, x455, x470); ++ fiat_secp384r1_addcarryx_u32(&x491, &x492, x490, x457, x467); ++ fiat_secp384r1_addcarryx_u32(&x493, &x494, x492, x459, x475); ++ fiat_secp384r1_addcarryx_u32(&x495, &x496, x494, x461, x476); ++ fiat_secp384r1_addcarryx_u32(&x497, &x498, x496, x463, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x499, &x500, x498, x465, 0x0); ++ fiat_secp384r1_mulx_u32(&x501, &x502, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x503, &x504, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x505, &x506, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x507, &x508, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x509, &x510, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x511, &x512, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x513, &x514, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x515, &x516, x477, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x517, &x518, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x519, &x520, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x521, &x522, 0x0, x518, x515); ++ fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x516, x513); ++ fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x514, x511); ++ fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x512, x509); ++ fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x510, x507); ++ fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x508, x505); ++ fiat_secp384r1_addcarryx_u32(&x533, &x534, x532, x506, x503); ++ fiat_secp384r1_addcarryx_u32(&x535, &x536, x534, x504, x501); ++ fiat_secp384r1_addcarryx_u32(&x537, &x538, 0x0, x477, x519); ++ fiat_secp384r1_addcarryx_u32(&x539, &x540, x538, x479, x520); ++ fiat_secp384r1_addcarryx_u32(&x541, &x542, x540, x481, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x543, &x544, x542, x483, x517); ++ fiat_secp384r1_addcarryx_u32(&x545, &x546, x544, x485, x521); ++ fiat_secp384r1_addcarryx_u32(&x547, &x548, x546, x487, x523); ++ fiat_secp384r1_addcarryx_u32(&x549, &x550, x548, x489, x525); ++ fiat_secp384r1_addcarryx_u32(&x551, &x552, x550, x491, x527); ++ fiat_secp384r1_addcarryx_u32(&x553, &x554, x552, x493, x529); ++ fiat_secp384r1_addcarryx_u32(&x555, &x556, x554, x495, x531); ++ fiat_secp384r1_addcarryx_u32(&x557, &x558, x556, x497, x533); ++ fiat_secp384r1_addcarryx_u32(&x559, &x560, x558, x499, x535); ++ fiat_secp384r1_addcarryx_u32(&x561, &x562, x560, ((uint32_t)x500 + x466), ++ (x536 + x502)); ++ fiat_secp384r1_mulx_u32(&x563, &x564, x6, 0x2); ++ fiat_secp384r1_mulx_u32(&x565, &x566, x6, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x567, &x568, x6, 0x2); ++ fiat_secp384r1_mulx_u32(&x569, &x570, x6, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x571, &x572, 0x0, (fiat_secp384r1_uint1)x564, ++ x6); ++ fiat_secp384r1_addcarryx_u32(&x573, &x574, 0x0, x539, x6); ++ fiat_secp384r1_addcarryx_u32(&x575, &x576, x574, x541, x569); ++ fiat_secp384r1_addcarryx_u32(&x577, &x578, x576, x543, x570); ++ fiat_secp384r1_addcarryx_u32(&x579, &x580, x578, x545, x567); ++ fiat_secp384r1_addcarryx_u32(&x581, &x582, x580, x547, ++ (fiat_secp384r1_uint1)x568); ++ fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x549, x565); ++ fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x551, x566); ++ fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x553, x563); ++ fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x555, x571); ++ fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x557, x572); ++ fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x559, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x561, 0x0); ++ fiat_secp384r1_mulx_u32(&x597, &x598, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x599, &x600, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x601, &x602, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x603, &x604, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x605, &x606, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x607, &x608, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x609, &x610, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x611, &x612, x573, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x613, &x614, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x615, &x616, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x617, &x618, 0x0, x614, x611); ++ fiat_secp384r1_addcarryx_u32(&x619, &x620, x618, x612, x609); ++ fiat_secp384r1_addcarryx_u32(&x621, &x622, x620, x610, x607); ++ fiat_secp384r1_addcarryx_u32(&x623, &x624, x622, x608, x605); ++ fiat_secp384r1_addcarryx_u32(&x625, &x626, x624, x606, x603); ++ fiat_secp384r1_addcarryx_u32(&x627, &x628, x626, x604, x601); ++ fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x602, x599); ++ fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x600, x597); ++ fiat_secp384r1_addcarryx_u32(&x633, &x634, 0x0, x573, x615); ++ fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x575, x616); ++ fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x577, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x579, x613); ++ fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x581, x617); ++ fiat_secp384r1_addcarryx_u32(&x643, &x644, x642, x583, x619); ++ fiat_secp384r1_addcarryx_u32(&x645, &x646, x644, x585, x621); ++ fiat_secp384r1_addcarryx_u32(&x647, &x648, x646, x587, x623); ++ fiat_secp384r1_addcarryx_u32(&x649, &x650, x648, x589, x625); ++ fiat_secp384r1_addcarryx_u32(&x651, &x652, x650, x591, x627); ++ fiat_secp384r1_addcarryx_u32(&x653, &x654, x652, x593, x629); ++ fiat_secp384r1_addcarryx_u32(&x655, &x656, x654, x595, x631); ++ fiat_secp384r1_addcarryx_u32(&x657, &x658, x656, ((uint32_t)x596 + x562), ++ (x632 + x598)); ++ fiat_secp384r1_mulx_u32(&x659, &x660, x7, 0x2); ++ fiat_secp384r1_mulx_u32(&x661, &x662, x7, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x663, &x664, x7, 0x2); ++ fiat_secp384r1_mulx_u32(&x665, &x666, x7, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x667, &x668, 0x0, (fiat_secp384r1_uint1)x660, ++ x7); ++ fiat_secp384r1_addcarryx_u32(&x669, &x670, 0x0, x635, x7); ++ fiat_secp384r1_addcarryx_u32(&x671, &x672, x670, x637, x665); ++ fiat_secp384r1_addcarryx_u32(&x673, &x674, x672, x639, x666); ++ fiat_secp384r1_addcarryx_u32(&x675, &x676, x674, x641, x663); ++ fiat_secp384r1_addcarryx_u32(&x677, &x678, x676, x643, ++ (fiat_secp384r1_uint1)x664); ++ fiat_secp384r1_addcarryx_u32(&x679, &x680, x678, x645, x661); ++ fiat_secp384r1_addcarryx_u32(&x681, &x682, x680, x647, x662); ++ fiat_secp384r1_addcarryx_u32(&x683, &x684, x682, x649, x659); ++ fiat_secp384r1_addcarryx_u32(&x685, &x686, x684, x651, x667); ++ fiat_secp384r1_addcarryx_u32(&x687, &x688, x686, x653, x668); ++ fiat_secp384r1_addcarryx_u32(&x689, &x690, x688, x655, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x691, &x692, x690, x657, 0x0); ++ fiat_secp384r1_mulx_u32(&x693, &x694, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x695, &x696, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x697, &x698, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x699, &x700, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x701, &x702, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x703, &x704, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x705, &x706, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x707, &x708, x669, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x709, &x710, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x711, &x712, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x713, &x714, 0x0, x710, x707); ++ fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x708, x705); ++ fiat_secp384r1_addcarryx_u32(&x717, &x718, x716, x706, x703); ++ fiat_secp384r1_addcarryx_u32(&x719, &x720, x718, x704, x701); ++ fiat_secp384r1_addcarryx_u32(&x721, &x722, x720, x702, x699); ++ fiat_secp384r1_addcarryx_u32(&x723, &x724, x722, x700, x697); ++ fiat_secp384r1_addcarryx_u32(&x725, &x726, x724, x698, x695); ++ fiat_secp384r1_addcarryx_u32(&x727, &x728, x726, x696, x693); ++ fiat_secp384r1_addcarryx_u32(&x729, &x730, 0x0, x669, x711); ++ fiat_secp384r1_addcarryx_u32(&x731, &x732, x730, x671, x712); ++ fiat_secp384r1_addcarryx_u32(&x733, &x734, x732, x673, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x735, &x736, x734, x675, x709); ++ fiat_secp384r1_addcarryx_u32(&x737, &x738, x736, x677, x713); ++ fiat_secp384r1_addcarryx_u32(&x739, &x740, x738, x679, x715); ++ fiat_secp384r1_addcarryx_u32(&x741, &x742, x740, x681, x717); ++ fiat_secp384r1_addcarryx_u32(&x743, &x744, x742, x683, x719); ++ fiat_secp384r1_addcarryx_u32(&x745, &x746, x744, x685, x721); ++ fiat_secp384r1_addcarryx_u32(&x747, &x748, x746, x687, x723); ++ fiat_secp384r1_addcarryx_u32(&x749, &x750, x748, x689, x725); ++ fiat_secp384r1_addcarryx_u32(&x751, &x752, x750, x691, x727); ++ fiat_secp384r1_addcarryx_u32(&x753, &x754, x752, ((uint32_t)x692 + x658), ++ (x728 + x694)); ++ fiat_secp384r1_mulx_u32(&x755, &x756, x8, 0x2); ++ fiat_secp384r1_mulx_u32(&x757, &x758, x8, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x759, &x760, x8, 0x2); ++ fiat_secp384r1_mulx_u32(&x761, &x762, x8, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x763, &x764, 0x0, (fiat_secp384r1_uint1)x756, ++ x8); ++ fiat_secp384r1_addcarryx_u32(&x765, &x766, 0x0, x731, x8); ++ fiat_secp384r1_addcarryx_u32(&x767, &x768, x766, x733, x761); ++ fiat_secp384r1_addcarryx_u32(&x769, &x770, x768, x735, x762); ++ fiat_secp384r1_addcarryx_u32(&x771, &x772, x770, x737, x759); ++ fiat_secp384r1_addcarryx_u32(&x773, &x774, x772, x739, ++ (fiat_secp384r1_uint1)x760); ++ fiat_secp384r1_addcarryx_u32(&x775, &x776, x774, x741, x757); ++ fiat_secp384r1_addcarryx_u32(&x777, &x778, x776, x743, x758); ++ fiat_secp384r1_addcarryx_u32(&x779, &x780, x778, x745, x755); ++ fiat_secp384r1_addcarryx_u32(&x781, &x782, x780, x747, x763); ++ fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x749, x764); ++ fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x751, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x753, 0x0); ++ fiat_secp384r1_mulx_u32(&x789, &x790, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x791, &x792, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x793, &x794, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x795, &x796, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x797, &x798, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x799, &x800, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x801, &x802, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x803, &x804, x765, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x805, &x806, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x807, &x808, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x809, &x810, 0x0, x806, x803); ++ fiat_secp384r1_addcarryx_u32(&x811, &x812, x810, x804, x801); ++ fiat_secp384r1_addcarryx_u32(&x813, &x814, x812, x802, x799); ++ fiat_secp384r1_addcarryx_u32(&x815, &x816, x814, x800, x797); ++ fiat_secp384r1_addcarryx_u32(&x817, &x818, x816, x798, x795); ++ fiat_secp384r1_addcarryx_u32(&x819, &x820, x818, x796, x793); ++ fiat_secp384r1_addcarryx_u32(&x821, &x822, x820, x794, x791); ++ fiat_secp384r1_addcarryx_u32(&x823, &x824, x822, x792, x789); ++ fiat_secp384r1_addcarryx_u32(&x825, &x826, 0x0, x765, x807); ++ fiat_secp384r1_addcarryx_u32(&x827, &x828, x826, x767, x808); ++ fiat_secp384r1_addcarryx_u32(&x829, &x830, x828, x769, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x831, &x832, x830, x771, x805); ++ fiat_secp384r1_addcarryx_u32(&x833, &x834, x832, x773, x809); ++ fiat_secp384r1_addcarryx_u32(&x835, &x836, x834, x775, x811); ++ fiat_secp384r1_addcarryx_u32(&x837, &x838, x836, x777, x813); ++ fiat_secp384r1_addcarryx_u32(&x839, &x840, x838, x779, x815); ++ fiat_secp384r1_addcarryx_u32(&x841, &x842, x840, x781, x817); ++ fiat_secp384r1_addcarryx_u32(&x843, &x844, x842, x783, x819); ++ fiat_secp384r1_addcarryx_u32(&x845, &x846, x844, x785, x821); ++ fiat_secp384r1_addcarryx_u32(&x847, &x848, x846, x787, x823); ++ fiat_secp384r1_addcarryx_u32(&x849, &x850, x848, ((uint32_t)x788 + x754), ++ (x824 + x790)); ++ fiat_secp384r1_mulx_u32(&x851, &x852, x9, 0x2); ++ fiat_secp384r1_mulx_u32(&x853, &x854, x9, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x855, &x856, x9, 0x2); ++ fiat_secp384r1_mulx_u32(&x857, &x858, x9, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x859, &x860, 0x0, (fiat_secp384r1_uint1)x852, ++ x9); ++ fiat_secp384r1_addcarryx_u32(&x861, &x862, 0x0, x827, x9); ++ fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x829, x857); ++ fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x831, x858); ++ fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x833, x855); ++ fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x835, ++ (fiat_secp384r1_uint1)x856); ++ fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x837, x853); ++ fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x839, x854); ++ fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x841, x851); ++ fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x843, x859); ++ fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x845, x860); ++ fiat_secp384r1_addcarryx_u32(&x881, &x882, x880, x847, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x883, &x884, x882, x849, 0x0); ++ fiat_secp384r1_mulx_u32(&x885, &x886, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x887, &x888, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x889, &x890, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x891, &x892, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x893, &x894, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x895, &x896, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x897, &x898, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x899, &x900, x861, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x901, &x902, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x903, &x904, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x905, &x906, 0x0, x902, x899); ++ fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x900, x897); ++ fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x898, x895); ++ fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x896, x893); ++ fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x894, x891); ++ fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x892, x889); ++ fiat_secp384r1_addcarryx_u32(&x917, &x918, x916, x890, x887); ++ fiat_secp384r1_addcarryx_u32(&x919, &x920, x918, x888, x885); ++ fiat_secp384r1_addcarryx_u32(&x921, &x922, 0x0, x861, x903); ++ fiat_secp384r1_addcarryx_u32(&x923, &x924, x922, x863, x904); ++ fiat_secp384r1_addcarryx_u32(&x925, &x926, x924, x865, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x927, &x928, x926, x867, x901); ++ fiat_secp384r1_addcarryx_u32(&x929, &x930, x928, x869, x905); ++ fiat_secp384r1_addcarryx_u32(&x931, &x932, x930, x871, x907); ++ fiat_secp384r1_addcarryx_u32(&x933, &x934, x932, x873, x909); ++ fiat_secp384r1_addcarryx_u32(&x935, &x936, x934, x875, x911); ++ fiat_secp384r1_addcarryx_u32(&x937, &x938, x936, x877, x913); ++ fiat_secp384r1_addcarryx_u32(&x939, &x940, x938, x879, x915); ++ fiat_secp384r1_addcarryx_u32(&x941, &x942, x940, x881, x917); ++ fiat_secp384r1_addcarryx_u32(&x943, &x944, x942, x883, x919); ++ fiat_secp384r1_addcarryx_u32(&x945, &x946, x944, ((uint32_t)x884 + x850), ++ (x920 + x886)); ++ fiat_secp384r1_mulx_u32(&x947, &x948, x10, 0x2); ++ fiat_secp384r1_mulx_u32(&x949, &x950, x10, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x951, &x952, x10, 0x2); ++ fiat_secp384r1_mulx_u32(&x953, &x954, x10, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x955, &x956, 0x0, (fiat_secp384r1_uint1)x948, ++ x10); ++ fiat_secp384r1_addcarryx_u32(&x957, &x958, 0x0, x923, x10); ++ fiat_secp384r1_addcarryx_u32(&x959, &x960, x958, x925, x953); ++ fiat_secp384r1_addcarryx_u32(&x961, &x962, x960, x927, x954); ++ fiat_secp384r1_addcarryx_u32(&x963, &x964, x962, x929, x951); ++ fiat_secp384r1_addcarryx_u32(&x965, &x966, x964, x931, ++ (fiat_secp384r1_uint1)x952); ++ fiat_secp384r1_addcarryx_u32(&x967, &x968, x966, x933, x949); ++ fiat_secp384r1_addcarryx_u32(&x969, &x970, x968, x935, x950); ++ fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x937, x947); ++ fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x939, x955); ++ fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x941, x956); ++ fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x943, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x945, 0x0); ++ fiat_secp384r1_mulx_u32(&x981, &x982, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x983, &x984, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x985, &x986, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x987, &x988, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x989, &x990, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x991, &x992, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x993, &x994, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x995, &x996, x957, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x997, &x998, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x999, &x1000, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1001, &x1002, 0x0, x998, x995); ++ fiat_secp384r1_addcarryx_u32(&x1003, &x1004, x1002, x996, x993); ++ fiat_secp384r1_addcarryx_u32(&x1005, &x1006, x1004, x994, x991); ++ fiat_secp384r1_addcarryx_u32(&x1007, &x1008, x1006, x992, x989); ++ fiat_secp384r1_addcarryx_u32(&x1009, &x1010, x1008, x990, x987); ++ fiat_secp384r1_addcarryx_u32(&x1011, &x1012, x1010, x988, x985); ++ fiat_secp384r1_addcarryx_u32(&x1013, &x1014, x1012, x986, x983); ++ fiat_secp384r1_addcarryx_u32(&x1015, &x1016, x1014, x984, x981); ++ fiat_secp384r1_addcarryx_u32(&x1017, &x1018, 0x0, x957, x999); ++ fiat_secp384r1_addcarryx_u32(&x1019, &x1020, x1018, x959, x1000); ++ fiat_secp384r1_addcarryx_u32(&x1021, &x1022, x1020, x961, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1023, &x1024, x1022, x963, x997); ++ fiat_secp384r1_addcarryx_u32(&x1025, &x1026, x1024, x965, x1001); ++ fiat_secp384r1_addcarryx_u32(&x1027, &x1028, x1026, x967, x1003); ++ fiat_secp384r1_addcarryx_u32(&x1029, &x1030, x1028, x969, x1005); ++ fiat_secp384r1_addcarryx_u32(&x1031, &x1032, x1030, x971, x1007); ++ fiat_secp384r1_addcarryx_u32(&x1033, &x1034, x1032, x973, x1009); ++ fiat_secp384r1_addcarryx_u32(&x1035, &x1036, x1034, x975, x1011); ++ fiat_secp384r1_addcarryx_u32(&x1037, &x1038, x1036, x977, x1013); ++ fiat_secp384r1_addcarryx_u32(&x1039, &x1040, x1038, x979, x1015); ++ fiat_secp384r1_addcarryx_u32(&x1041, &x1042, x1040, ((uint32_t)x980 + x946), ++ (x1016 + x982)); ++ fiat_secp384r1_mulx_u32(&x1043, &x1044, x11, 0x2); ++ fiat_secp384r1_mulx_u32(&x1045, &x1046, x11, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1047, &x1048, x11, 0x2); ++ fiat_secp384r1_mulx_u32(&x1049, &x1050, x11, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x1051, &x1052, 0x0, ++ (fiat_secp384r1_uint1)x1044, x11); ++ fiat_secp384r1_addcarryx_u32(&x1053, &x1054, 0x0, x1019, x11); ++ fiat_secp384r1_addcarryx_u32(&x1055, &x1056, x1054, x1021, x1049); ++ fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x1023, x1050); ++ fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x1025, x1047); ++ fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x1027, ++ (fiat_secp384r1_uint1)x1048); ++ fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1029, x1045); ++ fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1031, x1046); ++ fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1033, x1043); ++ fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1035, x1051); ++ fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1037, x1052); ++ fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1039, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1041, 0x0); ++ fiat_secp384r1_mulx_u32(&x1077, &x1078, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1079, &x1080, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1081, &x1082, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1083, &x1084, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1085, &x1086, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1087, &x1088, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1089, &x1090, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1091, &x1092, x1053, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1093, &x1094, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1095, &x1096, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1097, &x1098, 0x0, x1094, x1091); ++ fiat_secp384r1_addcarryx_u32(&x1099, &x1100, x1098, x1092, x1089); ++ fiat_secp384r1_addcarryx_u32(&x1101, &x1102, x1100, x1090, x1087); ++ fiat_secp384r1_addcarryx_u32(&x1103, &x1104, x1102, x1088, x1085); ++ fiat_secp384r1_addcarryx_u32(&x1105, &x1106, x1104, x1086, x1083); ++ fiat_secp384r1_addcarryx_u32(&x1107, &x1108, x1106, x1084, x1081); ++ fiat_secp384r1_addcarryx_u32(&x1109, &x1110, x1108, x1082, x1079); ++ fiat_secp384r1_addcarryx_u32(&x1111, &x1112, x1110, x1080, x1077); ++ fiat_secp384r1_addcarryx_u32(&x1113, &x1114, 0x0, x1053, x1095); ++ fiat_secp384r1_addcarryx_u32(&x1115, &x1116, x1114, x1055, x1096); ++ fiat_secp384r1_addcarryx_u32(&x1117, &x1118, x1116, x1057, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1119, &x1120, x1118, x1059, x1093); ++ fiat_secp384r1_addcarryx_u32(&x1121, &x1122, x1120, x1061, x1097); ++ fiat_secp384r1_addcarryx_u32(&x1123, &x1124, x1122, x1063, x1099); ++ fiat_secp384r1_addcarryx_u32(&x1125, &x1126, x1124, x1065, x1101); ++ fiat_secp384r1_addcarryx_u32(&x1127, &x1128, x1126, x1067, x1103); ++ fiat_secp384r1_addcarryx_u32(&x1129, &x1130, x1128, x1069, x1105); ++ fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1071, x1107); ++ fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1073, x1109); ++ fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1075, x1111); ++ fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, ++ ((uint32_t)x1076 + x1042), (x1112 + x1078)); ++ fiat_secp384r1_subborrowx_u32(&x1139, &x1140, 0x0, x1115, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1141, &x1142, x1140, x1117, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1143, &x1144, x1142, x1119, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1145, &x1146, x1144, x1121, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1147, &x1148, x1146, x1123, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x1149, &x1150, x1148, x1125, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1151, &x1152, x1150, x1127, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1153, &x1154, x1152, x1129, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1155, &x1156, x1154, x1131, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1157, &x1158, x1156, x1133, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1159, &x1160, x1158, x1135, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1161, &x1162, x1160, x1137, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1163, &x1164, x1162, x1138, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x1165, x1164, x1139, x1115); ++ fiat_secp384r1_cmovznz_u32(&x1166, x1164, x1141, x1117); ++ fiat_secp384r1_cmovznz_u32(&x1167, x1164, x1143, x1119); ++ fiat_secp384r1_cmovznz_u32(&x1168, x1164, x1145, x1121); ++ fiat_secp384r1_cmovznz_u32(&x1169, x1164, x1147, x1123); ++ fiat_secp384r1_cmovznz_u32(&x1170, x1164, x1149, x1125); ++ fiat_secp384r1_cmovznz_u32(&x1171, x1164, x1151, x1127); ++ fiat_secp384r1_cmovznz_u32(&x1172, x1164, x1153, x1129); ++ fiat_secp384r1_cmovznz_u32(&x1173, x1164, x1155, x1131); ++ fiat_secp384r1_cmovznz_u32(&x1174, x1164, x1157, x1133); ++ fiat_secp384r1_cmovznz_u32(&x1175, x1164, x1159, x1135); ++ fiat_secp384r1_cmovznz_u32(&x1176, x1164, x1161, x1137); ++ out1[0] = x1165; ++ out1[1] = x1166; ++ out1[2] = x1167; ++ out1[3] = x1168; ++ out1[4] = x1169; ++ out1[5] = x1170; ++ out1[6] = x1171; ++ out1[7] = x1172; ++ out1[8] = x1173; ++ out1[9] = x1174; ++ out1[10] = x1175; ++ out1[11] = x1176; ++} ++ ++/* ++ * The function fiat_secp384r1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ */ ++static void ++fiat_secp384r1_nonzero(uint32_t *out1, const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ x1 = ((arg1[0]) | ++ ((arg1[1]) | ++ ((arg1[2]) | ++ ((arg1[3]) | ++ ((arg1[4]) | ++ ((arg1[5]) | ++ ((arg1[6]) | ++ ((arg1[7]) | ++ ((arg1[8]) | ++ ((arg1[9]) | ++ ((arg1[10]) | ((arg1[11]) | (uint32_t)0x0)))))))))))); ++ *out1 = x1; ++} ++ ++/* ++ * The function fiat_secp384r1_selectznz is a multi-limb conditional select. ++ * Postconditions: ++ * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_selectznz(uint32_t out1[12], ++ fiat_secp384r1_uint1 arg1, ++ const uint32_t arg2[12], ++ const uint32_t arg3[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ fiat_secp384r1_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); ++ fiat_secp384r1_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); ++ fiat_secp384r1_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); ++ fiat_secp384r1_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); ++ fiat_secp384r1_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); ++ fiat_secp384r1_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); ++ fiat_secp384r1_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); ++ fiat_secp384r1_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); ++ fiat_secp384r1_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); ++ fiat_secp384r1_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9])); ++ fiat_secp384r1_cmovznz_u32(&x11, arg1, (arg2[10]), (arg3[10])); ++ fiat_secp384r1_cmovznz_u32(&x12, arg1, (arg2[11]), (arg3[11])); ++ out1[0] = x1; ++ out1[1] = x2; ++ out1[2] = x3; ++ out1[3] = x4; ++ out1[4] = x5; ++ out1[5] = x6; ++ out1[6] = x7; ++ out1[7] = x8; ++ out1[8] = x9; ++ out1[9] = x10; ++ out1[10] = x11; ++ out1[11] = x12; ++} ++ ++/* ++ * The function fiat_secp384r1_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ */ ++static void ++fiat_secp384r1_to_bytes(uint8_t out1[48], const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint8_t x14; ++ uint32_t x15; ++ uint8_t x16; ++ uint8_t x17; ++ uint8_t x18; ++ uint8_t x19; ++ uint32_t x20; ++ uint8_t x21; ++ uint32_t x22; ++ uint8_t x23; ++ uint8_t x24; ++ uint8_t x25; ++ uint8_t x26; ++ uint32_t x27; ++ uint8_t x28; ++ uint32_t x29; ++ uint8_t x30; ++ uint8_t x31; ++ uint8_t x32; ++ uint8_t x33; ++ uint32_t x34; ++ uint8_t x35; ++ uint32_t x36; ++ uint8_t x37; ++ uint8_t x38; ++ uint8_t x39; ++ uint8_t x40; ++ uint32_t x41; ++ uint8_t x42; ++ uint32_t x43; ++ uint8_t x44; ++ uint8_t x45; ++ uint8_t x46; ++ uint8_t x47; ++ uint32_t x48; ++ uint8_t x49; ++ uint32_t x50; ++ uint8_t x51; ++ uint8_t x52; ++ uint8_t x53; ++ uint8_t x54; ++ uint32_t x55; ++ uint8_t x56; ++ uint32_t x57; ++ uint8_t x58; ++ uint8_t x59; ++ uint8_t x60; ++ uint8_t x61; ++ uint32_t x62; ++ uint8_t x63; ++ uint32_t x64; ++ uint8_t x65; ++ uint8_t x66; ++ uint8_t x67; ++ uint8_t x68; ++ uint32_t x69; ++ uint8_t x70; ++ uint32_t x71; ++ uint8_t x72; ++ uint8_t x73; ++ uint8_t x74; ++ uint8_t x75; ++ uint32_t x76; ++ uint8_t x77; ++ uint32_t x78; ++ uint8_t x79; ++ uint8_t x80; ++ uint8_t x81; ++ uint8_t x82; ++ uint32_t x83; ++ uint8_t x84; ++ uint32_t x85; ++ uint8_t x86; ++ uint8_t x87; ++ uint8_t x88; ++ uint8_t x89; ++ uint32_t x90; ++ uint8_t x91; ++ uint32_t x92; ++ uint8_t x93; ++ uint8_t x94; ++ uint8_t x95; ++ x1 = (arg1[11]); ++ x2 = (arg1[10]); ++ x3 = (arg1[9]); ++ x4 = (arg1[8]); ++ x5 = (arg1[7]); ++ x6 = (arg1[6]); ++ x7 = (arg1[5]); ++ x8 = (arg1[4]); ++ x9 = (arg1[3]); ++ x10 = (arg1[2]); ++ x11 = (arg1[1]); ++ x12 = (arg1[0]); ++ x13 = (x12 >> 8); ++ x14 = (uint8_t)(x12 & UINT8_C(0xff)); ++ x15 = (x13 >> 8); ++ x16 = (uint8_t)(x13 & UINT8_C(0xff)); ++ x17 = (uint8_t)(x15 >> 8); ++ x18 = (uint8_t)(x15 & UINT8_C(0xff)); ++ x19 = (uint8_t)(x17 & UINT8_C(0xff)); ++ x20 = (x11 >> 8); ++ x21 = (uint8_t)(x11 & UINT8_C(0xff)); ++ x22 = (x20 >> 8); ++ x23 = (uint8_t)(x20 & UINT8_C(0xff)); ++ x24 = (uint8_t)(x22 >> 8); ++ x25 = (uint8_t)(x22 & UINT8_C(0xff)); ++ x26 = (uint8_t)(x24 & UINT8_C(0xff)); ++ x27 = (x10 >> 8); ++ x28 = (uint8_t)(x10 & UINT8_C(0xff)); ++ x29 = (x27 >> 8); ++ x30 = (uint8_t)(x27 & UINT8_C(0xff)); ++ x31 = (uint8_t)(x29 >> 8); ++ x32 = (uint8_t)(x29 & UINT8_C(0xff)); ++ x33 = (uint8_t)(x31 & UINT8_C(0xff)); ++ x34 = (x9 >> 8); ++ x35 = (uint8_t)(x9 & UINT8_C(0xff)); ++ x36 = (x34 >> 8); ++ x37 = (uint8_t)(x34 & UINT8_C(0xff)); ++ x38 = (uint8_t)(x36 >> 8); ++ x39 = (uint8_t)(x36 & UINT8_C(0xff)); ++ x40 = (uint8_t)(x38 & UINT8_C(0xff)); ++ x41 = (x8 >> 8); ++ x42 = (uint8_t)(x8 & UINT8_C(0xff)); ++ x43 = (x41 >> 8); ++ x44 = (uint8_t)(x41 & UINT8_C(0xff)); ++ x45 = (uint8_t)(x43 >> 8); ++ x46 = (uint8_t)(x43 & UINT8_C(0xff)); ++ x47 = (uint8_t)(x45 & UINT8_C(0xff)); ++ x48 = (x7 >> 8); ++ x49 = (uint8_t)(x7 & UINT8_C(0xff)); ++ x50 = (x48 >> 8); ++ x51 = (uint8_t)(x48 & UINT8_C(0xff)); ++ x52 = (uint8_t)(x50 >> 8); ++ x53 = (uint8_t)(x50 & UINT8_C(0xff)); ++ x54 = (uint8_t)(x52 & UINT8_C(0xff)); ++ x55 = (x6 >> 8); ++ x56 = (uint8_t)(x6 & UINT8_C(0xff)); ++ x57 = (x55 >> 8); ++ x58 = (uint8_t)(x55 & UINT8_C(0xff)); ++ x59 = (uint8_t)(x57 >> 8); ++ x60 = (uint8_t)(x57 & UINT8_C(0xff)); ++ x61 = (uint8_t)(x59 & UINT8_C(0xff)); ++ x62 = (x5 >> 8); ++ x63 = (uint8_t)(x5 & UINT8_C(0xff)); ++ x64 = (x62 >> 8); ++ x65 = (uint8_t)(x62 & UINT8_C(0xff)); ++ x66 = (uint8_t)(x64 >> 8); ++ x67 = (uint8_t)(x64 & UINT8_C(0xff)); ++ x68 = (uint8_t)(x66 & UINT8_C(0xff)); ++ x69 = (x4 >> 8); ++ x70 = (uint8_t)(x4 & UINT8_C(0xff)); ++ x71 = (x69 >> 8); ++ x72 = (uint8_t)(x69 & UINT8_C(0xff)); ++ x73 = (uint8_t)(x71 >> 8); ++ x74 = (uint8_t)(x71 & UINT8_C(0xff)); ++ x75 = (uint8_t)(x73 & UINT8_C(0xff)); ++ x76 = (x3 >> 8); ++ x77 = (uint8_t)(x3 & UINT8_C(0xff)); ++ x78 = (x76 >> 8); ++ x79 = (uint8_t)(x76 & UINT8_C(0xff)); ++ x80 = (uint8_t)(x78 >> 8); ++ x81 = (uint8_t)(x78 & UINT8_C(0xff)); ++ x82 = (uint8_t)(x80 & UINT8_C(0xff)); ++ x83 = (x2 >> 8); ++ x84 = (uint8_t)(x2 & UINT8_C(0xff)); ++ x85 = (x83 >> 8); ++ x86 = (uint8_t)(x83 & UINT8_C(0xff)); ++ x87 = (uint8_t)(x85 >> 8); ++ x88 = (uint8_t)(x85 & UINT8_C(0xff)); ++ x89 = (uint8_t)(x87 & UINT8_C(0xff)); ++ x90 = (x1 >> 8); ++ x91 = (uint8_t)(x1 & UINT8_C(0xff)); ++ x92 = (x90 >> 8); ++ x93 = (uint8_t)(x90 & UINT8_C(0xff)); ++ x94 = (uint8_t)(x92 >> 8); ++ x95 = (uint8_t)(x92 & UINT8_C(0xff)); ++ out1[0] = x14; ++ out1[1] = x16; ++ out1[2] = x18; ++ out1[3] = x19; ++ out1[4] = x21; ++ out1[5] = x23; ++ out1[6] = x25; ++ out1[7] = x26; ++ out1[8] = x28; ++ out1[9] = x30; ++ out1[10] = x32; ++ out1[11] = x33; ++ out1[12] = x35; ++ out1[13] = x37; ++ out1[14] = x39; ++ out1[15] = x40; ++ out1[16] = x42; ++ out1[17] = x44; ++ out1[18] = x46; ++ out1[19] = x47; ++ out1[20] = x49; ++ out1[21] = x51; ++ out1[22] = x53; ++ out1[23] = x54; ++ out1[24] = x56; ++ out1[25] = x58; ++ out1[26] = x60; ++ out1[27] = x61; ++ out1[28] = x63; ++ out1[29] = x65; ++ out1[30] = x67; ++ out1[31] = x68; ++ out1[32] = x70; ++ out1[33] = x72; ++ out1[34] = x74; ++ out1[35] = x75; ++ out1[36] = x77; ++ out1[37] = x79; ++ out1[38] = x81; ++ out1[39] = x82; ++ out1[40] = x84; ++ out1[41] = x86; ++ out1[42] = x88; ++ out1[43] = x89; ++ out1[44] = x91; ++ out1[45] = x93; ++ out1[46] = x95; ++ out1[47] = x94; ++} ++ ++/* ++ * The function fiat_secp384r1_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ bytes_eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = bytes_eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_from_bytes(uint32_t out1[12], ++ const uint8_t arg1[48]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint8_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint8_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint8_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint8_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint8_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ uint32_t x23; ++ uint8_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint8_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint8_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint8_t x36; ++ uint32_t x37; ++ uint32_t x38; ++ uint32_t x39; ++ uint8_t x40; ++ uint32_t x41; ++ uint32_t x42; ++ uint32_t x43; ++ uint8_t x44; ++ uint32_t x45; ++ uint32_t x46; ++ uint32_t x47; ++ uint8_t x48; ++ uint32_t x49; ++ uint32_t x50; ++ uint32_t x51; ++ uint32_t x52; ++ uint32_t x53; ++ uint32_t x54; ++ uint32_t x55; ++ uint32_t x56; ++ uint32_t x57; ++ uint32_t x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ uint32_t x63; ++ uint32_t x64; ++ uint32_t x65; ++ uint32_t x66; ++ uint32_t x67; ++ uint32_t x68; ++ uint32_t x69; ++ uint32_t x70; ++ uint32_t x71; ++ x1 = ((uint32_t)(arg1[47]) << 24); ++ x2 = ((uint32_t)(arg1[46]) << 16); ++ x3 = ((uint32_t)(arg1[45]) << 8); ++ x4 = (arg1[44]); ++ x5 = ((uint32_t)(arg1[43]) << 24); ++ x6 = ((uint32_t)(arg1[42]) << 16); ++ x7 = ((uint32_t)(arg1[41]) << 8); ++ x8 = (arg1[40]); ++ x9 = ((uint32_t)(arg1[39]) << 24); ++ x10 = ((uint32_t)(arg1[38]) << 16); ++ x11 = ((uint32_t)(arg1[37]) << 8); ++ x12 = (arg1[36]); ++ x13 = ((uint32_t)(arg1[35]) << 24); ++ x14 = ((uint32_t)(arg1[34]) << 16); ++ x15 = ((uint32_t)(arg1[33]) << 8); ++ x16 = (arg1[32]); ++ x17 = ((uint32_t)(arg1[31]) << 24); ++ x18 = ((uint32_t)(arg1[30]) << 16); ++ x19 = ((uint32_t)(arg1[29]) << 8); ++ x20 = (arg1[28]); ++ x21 = ((uint32_t)(arg1[27]) << 24); ++ x22 = ((uint32_t)(arg1[26]) << 16); ++ x23 = ((uint32_t)(arg1[25]) << 8); ++ x24 = (arg1[24]); ++ x25 = ((uint32_t)(arg1[23]) << 24); ++ x26 = ((uint32_t)(arg1[22]) << 16); ++ x27 = ((uint32_t)(arg1[21]) << 8); ++ x28 = (arg1[20]); ++ x29 = ((uint32_t)(arg1[19]) << 24); ++ x30 = ((uint32_t)(arg1[18]) << 16); ++ x31 = ((uint32_t)(arg1[17]) << 8); ++ x32 = (arg1[16]); ++ x33 = ((uint32_t)(arg1[15]) << 24); ++ x34 = ((uint32_t)(arg1[14]) << 16); ++ x35 = ((uint32_t)(arg1[13]) << 8); ++ x36 = (arg1[12]); ++ x37 = ((uint32_t)(arg1[11]) << 24); ++ x38 = ((uint32_t)(arg1[10]) << 16); ++ x39 = ((uint32_t)(arg1[9]) << 8); ++ x40 = (arg1[8]); ++ x41 = ((uint32_t)(arg1[7]) << 24); ++ x42 = ((uint32_t)(arg1[6]) << 16); ++ x43 = ((uint32_t)(arg1[5]) << 8); ++ x44 = (arg1[4]); ++ x45 = ((uint32_t)(arg1[3]) << 24); ++ x46 = ((uint32_t)(arg1[2]) << 16); ++ x47 = ((uint32_t)(arg1[1]) << 8); ++ x48 = (arg1[0]); ++ x49 = (x48 + (x47 + (x46 + x45))); ++ x50 = (x49 & UINT32_C(0xffffffff)); ++ x51 = (x4 + (x3 + (x2 + x1))); ++ x52 = (x8 + (x7 + (x6 + x5))); ++ x53 = (x12 + (x11 + (x10 + x9))); ++ x54 = (x16 + (x15 + (x14 + x13))); ++ x55 = (x20 + (x19 + (x18 + x17))); ++ x56 = (x24 + (x23 + (x22 + x21))); ++ x57 = (x28 + (x27 + (x26 + x25))); ++ x58 = (x32 + (x31 + (x30 + x29))); ++ x59 = (x36 + (x35 + (x34 + x33))); ++ x60 = (x40 + (x39 + (x38 + x37))); ++ x61 = (x44 + (x43 + (x42 + x41))); ++ x62 = (x61 & UINT32_C(0xffffffff)); ++ x63 = (x60 & UINT32_C(0xffffffff)); ++ x64 = (x59 & UINT32_C(0xffffffff)); ++ x65 = (x58 & UINT32_C(0xffffffff)); ++ x66 = (x57 & UINT32_C(0xffffffff)); ++ x67 = (x56 & UINT32_C(0xffffffff)); ++ x68 = (x55 & UINT32_C(0xffffffff)); ++ x69 = (x54 & UINT32_C(0xffffffff)); ++ x70 = (x53 & UINT32_C(0xffffffff)); ++ x71 = (x52 & UINT32_C(0xffffffff)); ++ out1[0] = x50; ++ out1[1] = x62; ++ out1[2] = x63; ++ out1[3] = x64; ++ out1[4] = x65; ++ out1[5] = x66; ++ out1[6] = x67; ++ out1[7] = x68; ++ out1[8] = x69; ++ out1[9] = x70; ++ out1[10] = x71; ++ out1[11] = x51; ++} ++ ++/* END verbatim fiat code */ ++ ++/*- ++ * Finite field inversion via FLT. ++ * NB: this is not a real Fiat function, just named that way for consistency. ++ * Autogenerated: ecp/secp384r1/fe_inv.op3 ++ * custom repunit addition chain ++ */ ++static void ++fiat_secp384r1_inv(fe_t output, const fe_t t1) ++{ ++ int i; ++ /* temporary variables */ ++ fe_t acc, t10, t170, t2, t20, t255, t30, t32, t4, t64, t8, t84, t85; ++ ++ fiat_secp384r1_square(acc, t1); ++ fiat_secp384r1_mul(t2, acc, t1); ++ fiat_secp384r1_square(acc, t2); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t4, acc, t2); ++ fiat_secp384r1_square(acc, t4); ++ for (i = 0; i < 3; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t8, acc, t4); ++ fiat_secp384r1_square(acc, t8); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t10, acc, t2); ++ fiat_secp384r1_square(acc, t10); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t20, acc, t10); ++ fiat_secp384r1_square(acc, t20); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t30, acc, t10); ++ fiat_secp384r1_square(acc, t30); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t32, acc, t2); ++ fiat_secp384r1_square(acc, t32); ++ for (i = 0; i < 31; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t64, acc, t32); ++ fiat_secp384r1_square(acc, t64); ++ for (i = 0; i < 19; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t84, acc, t20); ++ fiat_secp384r1_square(acc, t84); ++ fiat_secp384r1_mul(t85, acc, t1); ++ fiat_secp384r1_square(acc, t85); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t170, acc, t85); ++ fiat_secp384r1_square(acc, t170); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t255, acc, t85); ++ fiat_secp384r1_square(acc, t255); ++ for (i = 0; i < 32; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t32); ++ for (i = 0; i < 94; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t30); ++ for (i = 0; i < 2; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(output, acc, t1); ++} ++ ++/* curve coefficient constants */ ++ ++static const limb_t const_one[12] = { ++ UINT32_C(0x00000001), UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFF), ++ UINT32_C(0x00000000), UINT32_C(0x00000001), UINT32_C(0x00000000), ++ UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), ++ UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000) ++}; ++ ++static const limb_t const_b[12] = { ++ UINT32_C(0x9D412DCC), UINT32_C(0x08118871), UINT32_C(0x7A4C32EC), ++ UINT32_C(0xF729ADD8), UINT32_C(0x1920022E), UINT32_C(0x77F2209B), ++ UINT32_C(0x94938AE2), UINT32_C(0xE3374BEE), UINT32_C(0x1F022094), ++ UINT32_C(0xB62B21F4), UINT32_C(0x604FBFF9), UINT32_C(0xCD08114B) ++}; ++ ++/* LUT for scalar multiplication by comb interleaving */ ++static const pt_aff_t lut_cmb[21][16] = { ++ { ++ { { UINT32_C(0x49C0B528), UINT32_C(0x3DD07566), UINT32_C(0xA0D6CE38), ++ UINT32_C(0x20E378E2), UINT32_C(0x541B4D6E), UINT32_C(0x879C3AFC), ++ UINT32_C(0x59A30EFF), UINT32_C(0x64548684), UINT32_C(0x614EDE2B), ++ UINT32_C(0x812FF723), UINT32_C(0x299E1513), UINT32_C(0x4D3AADC2) }, ++ { UINT32_C(0x4B03A4FE), UINT32_C(0x23043DAD), UINT32_C(0x7BB4A9AC), ++ UINT32_C(0xA1BFA8BF), UINT32_C(0x2E83B050), UINT32_C(0x8BADE756), ++ UINT32_C(0x68F4FFD9), UINT32_C(0xC6C35219), UINT32_C(0x3969A840), ++ UINT32_C(0xDD800226), UINT32_C(0x5A15C5E9), UINT32_C(0x2B78ABC2) } }, ++ { { UINT32_C(0xC1DC4073), UINT32_C(0x05E4DBE6), UINT32_C(0xF04F779C), ++ UINT32_C(0xC54EA9FF), UINT32_C(0xA170CCF0), UINT32_C(0x6B2034E9), ++ UINT32_C(0xD51C6C3E), UINT32_C(0x3A48D732), UINT32_C(0x263AA470), ++ UINT32_C(0xE36F7E2D), UINT32_C(0xE7C1C3AC), UINT32_C(0xD283FE68) }, ++ { UINT32_C(0xC04EE157), UINT32_C(0x7E284821), UINT32_C(0x7AE0E36D), ++ UINT32_C(0x92D789A7), UINT32_C(0x4EF67446), UINT32_C(0x132663C0), ++ UINT32_C(0xD2E1D0B4), UINT32_C(0x68012D5A), UINT32_C(0x5102B339), ++ UINT32_C(0xF6DB68B1), UINT32_C(0x983292AF), UINT32_C(0x465465FC) } }, ++ { { UINT32_C(0x68F1F0DF), UINT32_C(0xBB595EBA), UINT32_C(0xCC873466), ++ UINT32_C(0xC185C0CB), UINT32_C(0x293C703B), UINT32_C(0x7F1EB1B5), ++ UINT32_C(0xAACC05E6), UINT32_C(0x60DB2CF5), UINT32_C(0xE2E8E4C6), ++ UINT32_C(0xC676B987), UINT32_C(0x1D178FFB), UINT32_C(0xE1BB26B1) }, ++ { UINT32_C(0x7073FA21), UINT32_C(0x2B694BA0), UINT32_C(0x72F34566), ++ UINT32_C(0x22C16E2E), UINT32_C(0x01C35B99), UINT32_C(0x80B61B31), ++ UINT32_C(0x982C0411), UINT32_C(0x4B237FAF), UINT32_C(0x24DE236D), ++ UINT32_C(0xE6C59440), UINT32_C(0xE209E4A3), UINT32_C(0x4DB1C9D6) } }, ++ { { UINT32_C(0x7D69222B), UINT32_C(0xDF13B9D1), UINT32_C(0x874774B1), ++ UINT32_C(0x4CE6415F), UINT32_C(0x211FAA95), UINT32_C(0x731EDCF8), ++ UINT32_C(0x659753ED), UINT32_C(0x5F4215D1), UINT32_C(0x9DB2DF55), ++ UINT32_C(0xF893DB58), UINT32_C(0x1C89025B), UINT32_C(0x932C9F81) }, ++ { UINT32_C(0x7706A61E), UINT32_C(0x0996B220), UINT32_C(0xA8641C79), ++ UINT32_C(0x135349D5), UINT32_C(0x50130844), UINT32_C(0x65AAD76F), ++ UINT32_C(0x01FFF780), UINT32_C(0x0FF37C04), UINT32_C(0x693B0706), ++ UINT32_C(0xF57F238E), UINT32_C(0xAF6C9B3E), UINT32_C(0xD90A16B6) } }, ++ { { UINT32_C(0x2353B92F), UINT32_C(0x2F5D200E), UINT32_C(0x3FD7E4F9), ++ UINT32_C(0xE35D8729), UINT32_C(0xA96D745D), UINT32_C(0x26094833), ++ UINT32_C(0x3CBFFF3F), UINT32_C(0xDC351DC1), UINT32_C(0xDAD54D6A), ++ UINT32_C(0x26D464C6), UINT32_C(0x53636C6A), UINT32_C(0x5CAB1D1D) }, ++ { UINT32_C(0xB18EC0B0), UINT32_C(0xF2813072), UINT32_C(0xD742AA2F), ++ UINT32_C(0x3777E270), UINT32_C(0x033CA7C2), UINT32_C(0x27F061C7), ++ UINT32_C(0x68EAD0D8), UINT32_C(0xA6ECACCC), UINT32_C(0xEE69A754), ++ UINT32_C(0x7D9429F4), UINT32_C(0x31E8F5C6), UINT32_C(0xE7706334) } }, ++ { { UINT32_C(0xB68B8C7D), UINT32_C(0xC7708B19), UINT32_C(0x44377ABA), ++ UINT32_C(0x4532077C), UINT32_C(0x6CDAD64F), UINT32_C(0x0DCC6770), ++ UINT32_C(0x147B6602), UINT32_C(0x01B8BF56), UINT32_C(0xF0561D79), ++ UINT32_C(0xF8D89885), UINT32_C(0x7BA9C437), UINT32_C(0x9C19E9FC) }, ++ { UINT32_C(0xBDC4BA25), UINT32_C(0x764EB146), UINT32_C(0xAC144B83), ++ UINT32_C(0x604FE46B), UINT32_C(0x8A77E780), UINT32_C(0x3CE81329), ++ UINT32_C(0xFE9E682E), UINT32_C(0x2E070F36), UINT32_C(0x3A53287A), ++ UINT32_C(0x41821D0C), UINT32_C(0x3533F918), UINT32_C(0x9AA62F9F) } }, ++ { { UINT32_C(0x75CCBDFB), UINT32_C(0x9B7AEB7E), UINT32_C(0xF6749A95), ++ UINT32_C(0xB25E28C5), UINT32_C(0x33B7D4AE), UINT32_C(0x8A7A8E46), ++ UINT32_C(0xD9C1BD56), UINT32_C(0xDB5203A8), UINT32_C(0xED22DF97), ++ UINT32_C(0xD2657265), UINT32_C(0x8CF23C94), UINT32_C(0xB51C56E1) }, ++ { UINT32_C(0x6C3D812D), UINT32_C(0xF4D39459), UINT32_C(0x87CAE0C2), ++ UINT32_C(0xD8E88F1A), UINT32_C(0xCF4D0FE3), UINT32_C(0x789A2A48), ++ UINT32_C(0xFEC38D60), UINT32_C(0xB7FEAC2D), UINT32_C(0x3B490EC3), ++ UINT32_C(0x81FDBD1C), UINT32_C(0xCC6979E1), UINT32_C(0x4617ADB7) } }, ++ { { UINT32_C(0x4709F4A9), UINT32_C(0x446AD888), UINT32_C(0xEC3DABD8), ++ UINT32_C(0x2B7210E2), UINT32_C(0x50E07B34), UINT32_C(0x83CCF195), ++ UINT32_C(0x789B3075), UINT32_C(0x59500917), UINT32_C(0xEB085993), ++ UINT32_C(0x0FC01FD4), UINT32_C(0x4903026B), UINT32_C(0xFB62D26F) }, ++ { UINT32_C(0x6FE989BB), UINT32_C(0x2309CC9D), UINT32_C(0x144BD586), ++ UINT32_C(0x61609CBD), UINT32_C(0xDE06610C), UINT32_C(0x4B23D3A0), ++ UINT32_C(0xD898F470), UINT32_C(0xDDDC2866), UINT32_C(0x400C5797), ++ UINT32_C(0x8733FC41), UINT32_C(0xD0BC2716), UINT32_C(0x5A68C6FE) } }, ++ { { UINT32_C(0x4B4A3CD0), UINT32_C(0x8903E130), UINT32_C(0x8FF1F43E), ++ UINT32_C(0x3EA4EA4C), UINT32_C(0xF655A10D), UINT32_C(0xE6FC3F2A), ++ UINT32_C(0x524FFEFC), UINT32_C(0x7BE3737D), UINT32_C(0x5330455E), ++ UINT32_C(0x9F692855), UINT32_C(0xE475CE70), UINT32_C(0x524F166E) }, ++ { UINT32_C(0x6C12F055), UINT32_C(0x3FCC69CD), UINT32_C(0xD5B9C0DA), ++ UINT32_C(0x4E23B6FF), UINT32_C(0x336BF183), UINT32_C(0x49CE6993), ++ UINT32_C(0x4A54504A), UINT32_C(0xF87D6D85), UINT32_C(0xB3C2677A), ++ UINT32_C(0x25EB5DF1), UINT32_C(0x55B164C9), UINT32_C(0xAC37986F) } }, ++ { { UINT32_C(0xBAA84C08), UINT32_C(0x82A2ED4A), UINT32_C(0x41A8C912), ++ UINT32_C(0x22C4CC5F), UINT32_C(0x154AAD5E), UINT32_C(0xCA109C3B), ++ UINT32_C(0xFC38538E), UINT32_C(0x23891298), UINT32_C(0x539802AE), ++ UINT32_C(0xB3B6639C), UINT32_C(0x0390D706), UINT32_C(0xFA0F1F45) }, ++ { UINT32_C(0xB0DC21D0), UINT32_C(0x46B78E5D), UINT32_C(0xC3DA2EAC), ++ UINT32_C(0xA8C72D3C), UINT32_C(0x6FF2F643), UINT32_C(0x9170B378), ++ UINT32_C(0xB67F30C3), UINT32_C(0x3F5A799B), UINT32_C(0x8264B672), ++ UINT32_C(0x15D1DC77), UINT32_C(0xE9577764), UINT32_C(0xA1D47B23) } }, ++ { { UINT32_C(0x0422CE2F), UINT32_C(0x08265E51), UINT32_C(0xDD2F9E21), ++ UINT32_C(0x88E0D496), UINT32_C(0x6177F75D), UINT32_C(0x30128AA0), ++ UINT32_C(0xBD9EBE69), UINT32_C(0x2E59AB62), UINT32_C(0x5DF0E537), ++ UINT32_C(0x1B1A0F6C), UINT32_C(0xDAC012B5), UINT32_C(0xAB16C626) }, ++ { UINT32_C(0x008C5DE7), UINT32_C(0x8014214B), UINT32_C(0x38F17BEA), ++ UINT32_C(0xAA740A9E), UINT32_C(0x8A149098), UINT32_C(0x262EBB49), ++ UINT32_C(0x8527CD59), UINT32_C(0xB454111E), UINT32_C(0xACEA5817), ++ UINT32_C(0x266AD15A), UINT32_C(0x1353CCBA), UINT32_C(0x21824F41) } }, ++ { { UINT32_C(0x12E3683B), UINT32_C(0xD1B4E74D), UINT32_C(0x569B8EF6), ++ UINT32_C(0x990ED20B), UINT32_C(0x429C0A18), UINT32_C(0xB9D3DD25), ++ UINT32_C(0x2A351783), UINT32_C(0x1C75B8AB), UINT32_C(0x905432F0), ++ UINT32_C(0x61E4CA2B), UINT32_C(0xEEA8F224), UINT32_C(0x80826A69) }, ++ { UINT32_C(0xEC52ABAD), UINT32_C(0x7FC33A6B), UINT32_C(0xA65E4813), ++ UINT32_C(0x0BCCA3F0), UINT32_C(0xA527CEBE), UINT32_C(0x7AD8A132), ++ UINT32_C(0xEAF22C7E), UINT32_C(0xF0138950), UINT32_C(0x566718C1), ++ UINT32_C(0x282D2437), UINT32_C(0xE2212559), UINT32_C(0x9DFCCB0D) } }, ++ { { UINT32_C(0x58CE3B83), UINT32_C(0x1E937227), UINT32_C(0x3CB3FB36), ++ UINT32_C(0xBB280DFA), UINT32_C(0xE2BE174A), UINT32_C(0x57D0F3D2), ++ UINT32_C(0x208ABE1E), UINT32_C(0x9BD51B99), UINT32_C(0xDE248024), ++ UINT32_C(0x3809AB50), UINT32_C(0xA5BB7331), UINT32_C(0xC29C6E2C) }, ++ { UINT32_C(0x61124F05), UINT32_C(0x9944FD2E), UINT32_C(0x9009E391), ++ UINT32_C(0x83CCBC4E), UINT32_C(0x9424A3CC), UINT32_C(0x01628F05), ++ UINT32_C(0xEA8E4344), UINT32_C(0xD6A2F51D), UINT32_C(0x4CEBC96E), ++ UINT32_C(0xDA3E1A3D), UINT32_C(0xE97809DC), UINT32_C(0x1FE6FB42) } }, ++ { { UINT32_C(0x467D66E4), UINT32_C(0xA04482D2), UINT32_C(0x4D78291D), ++ UINT32_C(0xCF191293), UINT32_C(0x482396F9), UINT32_C(0x8E0D4168), ++ UINT32_C(0xD18F14D0), UINT32_C(0x7228E2D5), UINT32_C(0x9C6A58FE), ++ UINT32_C(0x2F7E8D50), UINT32_C(0x373E5AEC), UINT32_C(0xE8CA780E) }, ++ { UINT32_C(0x1B68E9F8), UINT32_C(0x42AAD1D6), UINT32_C(0x69E2F8F4), ++ UINT32_C(0x58A6D7F5), UINT32_C(0x31DA1BEA), UINT32_C(0xD779ADFE), ++ UINT32_C(0x38C85A85), UINT32_C(0x7D265406), UINT32_C(0xD44D3CDF), ++ UINT32_C(0x67E67195), UINT32_C(0xC5134ED7), UINT32_C(0x17820A0B) } }, ++ { { UINT32_C(0xD3021470), UINT32_C(0x019D6AC5), UINT32_C(0x780443D6), ++ UINT32_C(0x25846B66), UINT32_C(0x55C97647), UINT32_C(0xCE3C15ED), ++ UINT32_C(0x0E3FEB0F), UINT32_C(0x3DC22D49), UINT32_C(0xA7DF26E4), ++ UINT32_C(0x2065B7CB), UINT32_C(0x187CEA1F), UINT32_C(0xC8B00AE8) }, ++ { UINT32_C(0x865DDED3), UINT32_C(0x1A5284A0), UINT32_C(0x20C83DE2), ++ UINT32_C(0x293C1649), UINT32_C(0xCCE851B3), UINT32_C(0xAB178D26), ++ UINT32_C(0x404505FB), UINT32_C(0x8E6DB10B), UINT32_C(0x90C82033), ++ UINT32_C(0xF6F57E71), UINT32_C(0x5977F16C), UINT32_C(0x1D2A1C01) } }, ++ { { UINT32_C(0x7C8906A4), UINT32_C(0xA39C8931), UINT32_C(0x9E821EE6), ++ UINT32_C(0xB6E7ECDD), UINT32_C(0xF0DF4FE6), UINT32_C(0x2ECF8340), ++ UINT32_C(0x53C14965), UINT32_C(0xD42F7DC9), UINT32_C(0xE3BA8285), ++ UINT32_C(0x1AFB51A3), UINT32_C(0x0A3305D1), UINT32_C(0x6C07C404) }, ++ { UINT32_C(0x127FC1DA), UINT32_C(0xDAB83288), UINT32_C(0x374C4B08), ++ UINT32_C(0xBC0A699B), UINT32_C(0x42EB20DD), UINT32_C(0x402A9BAB), ++ UINT32_C(0x045A7A1C), UINT32_C(0xD7DD464F), UINT32_C(0x36BEECC4), ++ UINT32_C(0x5B3D0D6D), UINT32_C(0x6398A19D), UINT32_C(0x475A3E75) } }, ++ }, ++ { ++ { { UINT32_C(0x72876AE8), UINT32_C(0x31BDB483), UINT32_C(0x961ED1BF), ++ UINT32_C(0xE3325D98), UINT32_C(0x9B6FC64D), UINT32_C(0x18C04246), ++ UINT32_C(0x15786B8C), UINT32_C(0x0DCC15FA), UINT32_C(0x8E63DA4A), ++ UINT32_C(0x81ACDB06), UINT32_C(0xDADA70FB), UINT32_C(0xD3A4B643) }, ++ { UINT32_C(0xDEA424EB), UINT32_C(0x46361AFE), UINT32_C(0x89B92970), ++ UINT32_C(0xDC2D2CAE), UINT32_C(0x615694E6), UINT32_C(0xF389B61B), ++ UINT32_C(0x872951D2), UINT32_C(0x7036DEF1), UINT32_C(0xD93BADC7), ++ UINT32_C(0x40FD3BDA), UINT32_C(0x380A68D3), UINT32_C(0x45AB6321) } }, ++ { { UINT32_C(0x81A2703A), UINT32_C(0x23C1F744), UINT32_C(0xB9859136), ++ UINT32_C(0x1A5D075C), UINT32_C(0x5AFD1BFD), UINT32_C(0xA4F82C9D), ++ UINT32_C(0xF89D76FE), UINT32_C(0xA3D1E9A4), UINT32_C(0x75702F80), ++ UINT32_C(0x964F7050), UINT32_C(0xF56C089D), UINT32_C(0x182BF349) }, ++ { UINT32_C(0xBE0DA6E1), UINT32_C(0xE205FA8F), UINT32_C(0x0A40F8F3), ++ UINT32_C(0x32905EB9), UINT32_C(0x356D4395), UINT32_C(0x331A1004), ++ UINT32_C(0xFDBBDFDE), UINT32_C(0x58B78901), UINT32_C(0x9BA00E71), ++ UINT32_C(0xA52A1597), UINT32_C(0x55497A30), UINT32_C(0xE0092E1F) } }, ++ { { UINT32_C(0x70EE8F39), UINT32_C(0x5562A856), UINT32_C(0x64E52A9C), ++ UINT32_C(0x86B0C117), UINT32_C(0x09C75B8C), UINT32_C(0xC19F3174), ++ UINT32_C(0x24923F80), UINT32_C(0x21C7CC31), UINT32_C(0x8F5B291E), ++ UINT32_C(0xE63FE47F), UINT32_C(0x0DC08B05), UINT32_C(0x3D6D3C05) }, ++ { UINT32_C(0xEE0C39A1), UINT32_C(0x58AE455E), UINT32_C(0x0AD97942), ++ UINT32_C(0x78BEA431), UINT32_C(0x3EE3989C), UINT32_C(0x42C7C97F), ++ UINT32_C(0xF38759AE), UINT32_C(0xC1B03AF5), UINT32_C(0xBCF46899), ++ UINT32_C(0x1A673C75), UINT32_C(0x8D508C7D), UINT32_C(0x4831B7D3) } }, ++ { { UINT32_C(0xC552E354), UINT32_C(0x76512D1B), UINT32_C(0x273020FD), ++ UINT32_C(0x2B7EB6DF), UINT32_C(0x025A5F25), UINT32_C(0xD1C73AA8), ++ UINT32_C(0x5CBD2A40), UINT32_C(0x2ABA1929), UINT32_C(0xC88D61C6), ++ UINT32_C(0xB53CADC3), UINT32_C(0x098290F3), UINT32_C(0x7E66A95E) }, ++ { UINT32_C(0xAF4C5073), UINT32_C(0x72800ECB), UINT32_C(0x9DC63FAF), ++ UINT32_C(0x81F2725E), UINT32_C(0x282BA9D1), UINT32_C(0x14BF92A7), ++ UINT32_C(0xBD5F1BB2), UINT32_C(0x90629672), UINT32_C(0xA97C6C96), ++ UINT32_C(0x362F68EB), UINT32_C(0x7EA9D601), UINT32_C(0xB1D3BB8B) } }, ++ { { UINT32_C(0xA9C94429), UINT32_C(0x73878F7F), UINT32_C(0x456CA6D8), ++ UINT32_C(0xB35C3BC8), UINT32_C(0xF721923A), UINT32_C(0xD96F0B3C), ++ UINT32_C(0xE6D44FA1), UINT32_C(0x28D8F06C), UINT32_C(0xD5CD671A), ++ UINT32_C(0x94EFDCDC), UINT32_C(0x3F97D481), UINT32_C(0x0299AB93) }, ++ { UINT32_C(0x2FD1D324), UINT32_C(0xB7CED6EA), UINT32_C(0x7E932EC2), ++ UINT32_C(0xBD683208), UINT32_C(0xCB755A6E), UINT32_C(0x24ED31FB), ++ UINT32_C(0xE48781D2), UINT32_C(0xA636098E), UINT32_C(0xF0A4F297), ++ UINT32_C(0x8687C63C), UINT32_C(0x07478526), UINT32_C(0xBB523440) } }, ++ { { UINT32_C(0x34124B56), UINT32_C(0x2E5F7419), UINT32_C(0x4B3F02CA), ++ UINT32_C(0x1F223AE1), UINT32_C(0xE8336C7E), UINT32_C(0x6345B427), ++ UINT32_C(0xF5D0E3D0), UINT32_C(0x92123E16), UINT32_C(0x45E79F3A), ++ UINT32_C(0xDAF0D14D), UINT32_C(0x6F3BD0C6), UINT32_C(0x6ACA6765) }, ++ { UINT32_C(0x403813F4), UINT32_C(0xF6169FAB), UINT32_C(0x334A4C59), ++ UINT32_C(0x31DC39C0), UINT32_C(0xD589866D), UINT32_C(0x74C46753), ++ UINT32_C(0x984C6A5D), UINT32_C(0x5741511D), UINT32_C(0x97FED2D3), ++ UINT32_C(0xF2631287), UINT32_C(0x11614886), UINT32_C(0x5687CA1B) } }, ++ { { UINT32_C(0x33836D4B), UINT32_C(0x076D902A), UINT32_C(0x24AFB557), ++ UINT32_C(0xEC6C5C43), UINT32_C(0xA0516A0F), UINT32_C(0xA0FE2D1C), ++ UINT32_C(0x00D22ECC), UINT32_C(0x6FB8D737), UINT32_C(0xDAF1D7B3), ++ UINT32_C(0xF1DE9077), UINT32_C(0xD4C0C1EB), UINT32_C(0xE4695F77) }, ++ { UINT32_C(0xB4375573), UINT32_C(0x5F0FD8A8), UINT32_C(0x5E50944F), ++ UINT32_C(0x76238359), UINT32_C(0x635CD76F), UINT32_C(0x65EA2F28), ++ UINT32_C(0x25FDE7B0), UINT32_C(0x08547769), UINT32_C(0x51944304), ++ UINT32_C(0xB2345A2E), UINT32_C(0xA16C980D), UINT32_C(0x86EFA2F7) } }, ++ { { UINT32_C(0xBF4D1D63), UINT32_C(0x4CCBE2D0), UINT32_C(0x397366D5), ++ UINT32_C(0x32E33401), UINT32_C(0x71BDA2CE), UINT32_C(0xC83AFDDE), ++ UINT32_C(0x478ED9E6), UINT32_C(0x8DACE2AC), UINT32_C(0x763FDD9E), ++ UINT32_C(0x3AC6A559), UINT32_C(0xB398558F), UINT32_C(0x0FFDB04C) }, ++ { UINT32_C(0xAFB9D6B8), UINT32_C(0x6C1B99B2), UINT32_C(0x27F815DD), ++ UINT32_C(0x572BA39C), UINT32_C(0x0DBCF842), UINT32_C(0x9DE73EE7), ++ UINT32_C(0x29267B88), UINT32_C(0x2A3ED589), UINT32_C(0x15EBBBB3), ++ UINT32_C(0xD46A7FD3), UINT32_C(0xE29400C7), UINT32_C(0xD1D01863) } }, ++ { { UINT32_C(0xE1F89EC5), UINT32_C(0x8FB101D1), UINT32_C(0xF8508042), ++ UINT32_C(0xB87A1F53), UINT32_C(0x0ED7BEEF), UINT32_C(0x28C8DB24), ++ UINT32_C(0xACE8660A), UINT32_C(0x3940F845), UINT32_C(0xC6D453FD), ++ UINT32_C(0x4EACB619), UINT32_C(0x2BAD6160), UINT32_C(0x2E044C98) }, ++ { UINT32_C(0x80B16C02), UINT32_C(0x87928548), UINT32_C(0xC0A9EB64), ++ UINT32_C(0xF0D4BEB3), UINT32_C(0xC183C195), UINT32_C(0xD785B4AF), ++ UINT32_C(0x5E6C46EA), UINT32_C(0x23AAB0E6), UINT32_C(0xA930FECA), ++ UINT32_C(0x30F7E104), UINT32_C(0xD55C10FB), UINT32_C(0x6A1A7B8B) } }, ++ { { UINT32_C(0xDBFED1AA), UINT32_C(0xDA74EAEB), UINT32_C(0xDF0B025C), ++ UINT32_C(0xC8A59223), UINT32_C(0xD5B627F7), UINT32_C(0x7EF7DC85), ++ UINT32_C(0x197D7624), UINT32_C(0x02A13AE1), UINT32_C(0x2F785A9B), ++ UINT32_C(0x119E9BE1), UINT32_C(0x00D6B219), UINT32_C(0xC0B7572F) }, ++ { UINT32_C(0x6D4CAF30), UINT32_C(0x9B1E5126), UINT32_C(0x0A840BD1), ++ UINT32_C(0xA16A5117), UINT32_C(0x0E9CCF43), UINT32_C(0x5BE17B91), ++ UINT32_C(0x69CF2C9C), UINT32_C(0x5BDBEDDD), UINT32_C(0x4CF4F289), ++ UINT32_C(0x9FFBFBCF), UINT32_C(0x6C355CE9), UINT32_C(0xE1A62183) } }, ++ { { UINT32_C(0xA7B2FCCF), UINT32_C(0x056199D9), UINT32_C(0xCE1D784E), ++ UINT32_C(0x51F2E7B6), UINT32_C(0x339E2FF0), UINT32_C(0xA1D09C47), ++ UINT32_C(0xB836D0A9), UINT32_C(0xC8E64890), UINT32_C(0xC0D07EBE), ++ UINT32_C(0x2F781DCB), UINT32_C(0x3ACF934C), UINT32_C(0x5CF3C2AD) }, ++ { UINT32_C(0xA17E26AE), UINT32_C(0xE55DB190), UINT32_C(0x91245513), ++ UINT32_C(0xC9C61E1F), UINT32_C(0x61998C15), UINT32_C(0x83D7E6CF), ++ UINT32_C(0xE41D38E3), UINT32_C(0x4DB33C85), UINT32_C(0xC2FEE43D), ++ UINT32_C(0x74D5F91D), UINT32_C(0x36BBC826), UINT32_C(0x7EBBDB45) } }, ++ { { UINT32_C(0xCB655A9D), UINT32_C(0xE20EC7E9), UINT32_C(0x5C47D421), ++ UINT32_C(0x4977EB92), UINT32_C(0x3B9D72FA), UINT32_C(0xA237E12C), ++ UINT32_C(0xCBF7B145), UINT32_C(0xCAAEDBC1), UINT32_C(0x3B77AAA3), ++ UINT32_C(0x5200F5B2), UINT32_C(0xBDBE5380), UINT32_C(0x32EDED55) }, ++ { UINT32_C(0xE7C9B80A), UINT32_C(0x74E38A40), UINT32_C(0xAB6DE911), ++ UINT32_C(0x3A3F0CF8), UINT32_C(0xAD16AAF0), UINT32_C(0x56DCDD7A), ++ UINT32_C(0x8E861D5E), UINT32_C(0x3D292449), UINT32_C(0x985733E2), ++ UINT32_C(0xD6C61878), UINT32_C(0x6AA6CD5B), UINT32_C(0x2401FE7D) } }, ++ { { UINT32_C(0xB42E3686), UINT32_C(0xABB3DC75), UINT32_C(0xB4C57E61), ++ UINT32_C(0xAE712419), UINT32_C(0xB21B009B), UINT32_C(0x2C565F72), ++ UINT32_C(0x710C3699), UINT32_C(0xA5F1DA2E), UINT32_C(0xA5EBA59A), ++ UINT32_C(0x771099A0), UINT32_C(0xC10017A0), UINT32_C(0x4DA88F4A) }, ++ { UINT32_C(0x1927B56D), UINT32_C(0x987FFFD3), UINT32_C(0xC4E33478), ++ UINT32_C(0xB98CB8EC), UINT32_C(0xC2248166), UINT32_C(0xB224A971), ++ UINT32_C(0xDE1DC794), UINT32_C(0x5470F554), UINT32_C(0xE31FF983), ++ UINT32_C(0xD747CC24), UINT32_C(0xB5B22DAE), UINT32_C(0xB91745E9) } }, ++ { { UINT32_C(0x72F34420), UINT32_C(0x6CCBFED0), UINT32_C(0xA53039D2), ++ UINT32_C(0x95045E4D), UINT32_C(0x5A793944), UINT32_C(0x3B6C1154), ++ UINT32_C(0xDDB6B799), UINT32_C(0xAA114145), UINT32_C(0x252B7637), ++ UINT32_C(0xABC15CA4), UINT32_C(0xA5744634), UINT32_C(0x5745A35B) }, ++ { UINT32_C(0xDA596FC0), UINT32_C(0x05DC6BDE), UINT32_C(0xA8020881), ++ UINT32_C(0xCD52C18C), UINT32_C(0xD296BAD0), UINT32_C(0x03FA9F47), ++ UINT32_C(0x7268E139), UINT32_C(0xD8E2C129), UINT32_C(0x9EC450B0), ++ UINT32_C(0x58C1A98D), UINT32_C(0xDE48B20D), UINT32_C(0x909638DA) } }, ++ { { UINT32_C(0x9B7F8311), UINT32_C(0x7AFC30D4), UINT32_C(0x42368EA3), ++ UINT32_C(0x82A00422), UINT32_C(0x6F5F9865), UINT32_C(0xBFF95198), ++ UINT32_C(0xFC0A070F), UINT32_C(0x9B24F612), UINT32_C(0x620F489D), ++ UINT32_C(0x22C06CF2), UINT32_C(0x780F7DBB), UINT32_C(0x3C7ED052) }, ++ { UINT32_C(0x34DAFE9B), UINT32_C(0xDB87AB18), UINT32_C(0x9C4BBCA1), ++ UINT32_C(0x20C03B40), UINT32_C(0x59A42341), UINT32_C(0x5D718CF0), ++ UINT32_C(0x69E84538), UINT32_C(0x98631706), UINT32_C(0xD27D64E1), ++ UINT32_C(0x5557192B), UINT32_C(0xDA822766), UINT32_C(0x08B4EC52) } }, ++ { { UINT32_C(0xD66C1A59), UINT32_C(0xB2D986F6), UINT32_C(0x78E0E423), ++ UINT32_C(0x927DEB16), UINT32_C(0x49C3DEDC), UINT32_C(0x9E673CDE), ++ UINT32_C(0xF7ECB6CF), UINT32_C(0xFA362D84), UINT32_C(0x1BA17340), ++ UINT32_C(0x078E5F40), UINT32_C(0x1F4E489C), UINT32_C(0x934CA5D1) }, ++ { UINT32_C(0x64EEF493), UINT32_C(0xC03C0731), UINT32_C(0xD7931A7E), ++ UINT32_C(0x631A353B), UINT32_C(0x65DD74F1), UINT32_C(0x8E7CC3BB), ++ UINT32_C(0x702676A5), UINT32_C(0xD55864C5), UINT32_C(0x439F04BD), ++ UINT32_C(0x6D306AC4), UINT32_C(0x2BAFED57), UINT32_C(0x58544F67) } }, ++ }, ++ { ++ { { UINT32_C(0xEC074AEA), UINT32_C(0xB083BA6A), UINT32_C(0x7F0B505B), ++ UINT32_C(0x46FAC5EF), UINT32_C(0xFC82DC03), UINT32_C(0x95367A21), ++ UINT32_C(0x9D3679D8), UINT32_C(0x227BE26A), UINT32_C(0x7E9724C0), ++ UINT32_C(0xC70F6D6C), UINT32_C(0xF9EBEC0F), UINT32_C(0xCD68C757) }, ++ { UINT32_C(0x8FF321B2), UINT32_C(0x29DDE03E), UINT32_C(0x031939DC), ++ UINT32_C(0xF84AD7BB), UINT32_C(0x0F602F4B), UINT32_C(0xDAF590C9), ++ UINT32_C(0x49722BC4), UINT32_C(0x17C52888), UINT32_C(0x089B22B6), ++ UINT32_C(0xA8DF99F0), UINT32_C(0xE59B9B90), UINT32_C(0xC21BC5D4) } }, ++ { { UINT32_C(0x8A31973F), UINT32_C(0x4936C6A0), UINT32_C(0x83B8C205), ++ UINT32_C(0x54D442FA), UINT32_C(0x5714F2C6), UINT32_C(0x03AEE8B4), ++ UINT32_C(0x3F5AC25A), UINT32_C(0x139BD692), UINT32_C(0xB5B33794), ++ UINT32_C(0x6A2E42BA), UINT32_C(0x3FF7BBA9), UINT32_C(0x50FA1164) }, ++ { UINT32_C(0xF7E2C099), UINT32_C(0xB61D8643), UINT32_C(0xBD5C6637), ++ UINT32_C(0x2366C993), UINT32_C(0x72EB77FA), UINT32_C(0x62110E14), ++ UINT32_C(0x3B99C635), UINT32_C(0x3D5B96F1), UINT32_C(0xF674C9F2), ++ UINT32_C(0x956ECF64), UINT32_C(0xEF2BA250), UINT32_C(0xC56F7E51) } }, ++ { { UINT32_C(0xFF602C1B), UINT32_C(0x246FFCB6), UINT32_C(0x6E1258E0), ++ UINT32_C(0x1E1A1D74), UINT32_C(0x250E6676), UINT32_C(0xB4B43AE2), ++ UINT32_C(0x924CE5FA), UINT32_C(0x95C1B5F0), UINT32_C(0xEBD8C776), ++ UINT32_C(0x2555795B), UINT32_C(0xACD9D9D0), UINT32_C(0x4C1E03DC) }, ++ { UINT32_C(0x9CE90C61), UINT32_C(0xE1D74AA6), UINT32_C(0xA9C4B9F9), ++ UINT32_C(0xA88C0769), UINT32_C(0x95AF56DE), UINT32_C(0xDF74DF27), ++ UINT32_C(0xB331B6F4), UINT32_C(0x24B10C5F), UINT32_C(0x6559E137), ++ UINT32_C(0xB0A6DF9A), UINT32_C(0xC06637F2), UINT32_C(0x6ACC1B8F) } }, ++ { { UINT32_C(0x34B4E381), UINT32_C(0xBD8C0868), UINT32_C(0x30DFF271), ++ UINT32_C(0x278CACC7), UINT32_C(0x02459389), UINT32_C(0x87ED12DE), ++ UINT32_C(0xDEF840B6), UINT32_C(0x3F7D98FF), UINT32_C(0x5F0B56E1), ++ UINT32_C(0x71EEE0CB), UINT32_C(0xD8D9BE87), UINT32_C(0x462B5C9B) }, ++ { UINT32_C(0x98094C0F), UINT32_C(0xE6B50B5A), UINT32_C(0x508C67CE), ++ UINT32_C(0x26F3B274), UINT32_C(0x7CB1F992), UINT32_C(0x418B1BD1), ++ UINT32_C(0x4FF11827), UINT32_C(0x607818ED), UINT32_C(0x9B042C63), ++ UINT32_C(0xE630D93A), UINT32_C(0x8C779AE3), UINT32_C(0x38B9EFF3) } }, ++ { { UINT32_C(0x729C5431), UINT32_C(0xE8767D36), UINT32_C(0xBB94642C), ++ UINT32_C(0xA8BD07C0), UINT32_C(0x58F2E5B2), UINT32_C(0x0C11FC8E), ++ UINT32_C(0x547533FE), UINT32_C(0xD8912D48), UINT32_C(0x230D91FB), ++ UINT32_C(0xAAE14F5E), UINT32_C(0x676DFBA0), UINT32_C(0xC122051A) }, ++ { UINT32_C(0x5EA93078), UINT32_C(0x9ED4501F), UINT32_C(0xBD4BEE0A), ++ UINT32_C(0x2758515C), UINT32_C(0x94D21F52), UINT32_C(0x97733C6C), ++ UINT32_C(0x4AD306A2), UINT32_C(0x139BCD6D), UINT32_C(0x298123CC), ++ UINT32_C(0x0AAECBDC), UINT32_C(0x1CB7C7C9), UINT32_C(0x102B8A31) } }, ++ { { UINT32_C(0xFAF46675), UINT32_C(0x22A28E59), UINT32_C(0x10A31E7D), ++ UINT32_C(0x10757308), UINT32_C(0x2B4C2F4F), UINT32_C(0xC7EEAC84), ++ UINT32_C(0xB5EF5184), UINT32_C(0xBA370148), UINT32_C(0x8732E055), ++ UINT32_C(0x4A5A2866), UINT32_C(0xB887C36F), UINT32_C(0x14B8DCDC) }, ++ { UINT32_C(0x433F093D), UINT32_C(0xDBA8C85C), UINT32_C(0x1C9A201C), ++ UINT32_C(0x73DF549D), UINT32_C(0x70F927D8), UINT32_C(0x69AA0D7B), ++ UINT32_C(0xD7D2493A), UINT32_C(0xFA3A8685), UINT32_C(0x0A7F4013), ++ UINT32_C(0x6F48A255), UINT32_C(0xDD393067), UINT32_C(0xD20C8BF9) } }, ++ { { UINT32_C(0x81625E78), UINT32_C(0x4EC874EA), UINT32_C(0x3FBE9267), ++ UINT32_C(0x8B8D8B5A), UINT32_C(0x9421EC2F), UINT32_C(0xA3D9D164), ++ UINT32_C(0x880EA295), UINT32_C(0x490E92D9), UINT32_C(0xD8F3B6DA), ++ UINT32_C(0x745D1EDC), UINT32_C(0x8F18BA03), UINT32_C(0x0116628B) }, ++ { UINT32_C(0x834EADCE), UINT32_C(0x0FF6BCE0), UINT32_C(0x000827F7), ++ UINT32_C(0x464697F2), UINT32_C(0x498D724E), UINT32_C(0x08DCCF84), ++ UINT32_C(0x1E88304C), UINT32_C(0x7896D365), UINT32_C(0x135E3622), ++ UINT32_C(0xE63EBCCE), UINT32_C(0xDC007521), UINT32_C(0xFB942E8E) } }, ++ { { UINT32_C(0xA3688621), UINT32_C(0xBB155A66), UINT32_C(0xF91B52A3), ++ UINT32_C(0xED2FD7CD), UINT32_C(0xEA20CB88), UINT32_C(0x52798F5D), ++ UINT32_C(0x373F7DD8), UINT32_C(0x069CE105), UINT32_C(0x8CA78F6B), ++ UINT32_C(0xF9392EC7), UINT32_C(0x6B335169), UINT32_C(0xB3013E25) }, ++ { UINT32_C(0x6B11715C), UINT32_C(0x1D92F800), UINT32_C(0xFF9DC464), ++ UINT32_C(0xADD4050E), UINT32_C(0x8465B84A), UINT32_C(0x2AC22659), ++ UINT32_C(0x465B2BD6), UINT32_C(0x2729D646), UINT32_C(0xE4EFF9DD), ++ UINT32_C(0x6202344A), UINT32_C(0xCD9B90B9), UINT32_C(0x51F3198F) } }, ++ { { UINT32_C(0xE5F0AE1D), UINT32_C(0x17CE54EF), UINT32_C(0xB09852AF), ++ UINT32_C(0x984E8204), UINT32_C(0xC4B27A71), UINT32_C(0x3365B37A), ++ UINT32_C(0xA00E0A9C), UINT32_C(0x720E3152), UINT32_C(0x925BD606), ++ UINT32_C(0x3692F70D), UINT32_C(0x7BC7E9AB), UINT32_C(0xBE6E699D) }, ++ { UINT32_C(0x4C89A3C0), UINT32_C(0xD75C041F), UINT32_C(0x8DC100C0), ++ UINT32_C(0x8B9F592D), UINT32_C(0xAD228F71), UINT32_C(0x30750F3A), ++ UINT32_C(0xE8B17A11), UINT32_C(0x1B9ECF84), UINT32_C(0x0FBFA8A2), ++ UINT32_C(0xDF202562), UINT32_C(0xAA1B6D67), UINT32_C(0x45C811FC) } }, ++ { { UINT32_C(0x1A5151F8), UINT32_C(0xEC5B84B7), UINT32_C(0x550AB2D2), ++ UINT32_C(0x118E59E8), UINT32_C(0x049BD735), UINT32_C(0x2CCDEDA4), ++ UINT32_C(0x9CD62F0F), UINT32_C(0xC99CBA71), UINT32_C(0x62C9E4F8), ++ UINT32_C(0x69B8040A), UINT32_C(0x110B8283), UINT32_C(0x16F1A31A) }, ++ { UINT32_C(0x98E908A3), UINT32_C(0x53F63802), UINT32_C(0xD862F9DE), ++ UINT32_C(0x308CB6EF), UINT32_C(0xA521A95A), UINT32_C(0xE185DAD8), ++ UINT32_C(0x097F75CA), UINT32_C(0x4D8FE9A4), UINT32_C(0x1CA07D53), ++ UINT32_C(0xD1ECCEC7), UINT32_C(0x0DB07E83), UINT32_C(0x13DFA1DC) } }, ++ { { UINT32_C(0x0F591A76), UINT32_C(0xDDAF9DC6), UINT32_C(0x1685F412), ++ UINT32_C(0xE1A6D7CC), UINT32_C(0x002B6E8D), UINT32_C(0x153DE557), ++ UINT32_C(0xC6DA37D9), UINT32_C(0x730C38BC), UINT32_C(0x0914B597), ++ UINT32_C(0xAE180622), UINT32_C(0xDD8C3A0A), UINT32_C(0x84F98103) }, ++ { UINT32_C(0x8DA205B0), UINT32_C(0x369C5398), UINT32_C(0x3888A720), ++ UINT32_C(0xA3D95B81), UINT32_C(0xE10E2806), UINT32_C(0x1F3F8BBF), ++ UINT32_C(0x4530D1F3), UINT32_C(0x48663DF5), UINT32_C(0x3E377713), ++ UINT32_C(0x320523B4), UINT32_C(0xC7894814), UINT32_C(0xE8B1A575) } }, ++ { { UINT32_C(0x2EE8EA07), UINT32_C(0x33066871), UINT32_C(0x60DA199D), ++ UINT32_C(0xC6FB4EC5), UINT32_C(0xF4370A05), UINT32_C(0x33231860), ++ UINT32_C(0xC6DE4E26), UINT32_C(0x7ABECE72), UINT32_C(0xEBDECE7A), ++ UINT32_C(0xDE8D4BD8), UINT32_C(0x1CBE93C7), UINT32_C(0xC90EE657) }, ++ { UINT32_C(0x85AC2509), UINT32_C(0x0246751B), UINT32_C(0x30380245), ++ UINT32_C(0xD0EF142C), UINT32_C(0x7C76E39C), UINT32_C(0x086DF9C4), ++ UINT32_C(0xB789FB56), UINT32_C(0x68F1304F), UINT32_C(0xA5E4BD56), ++ UINT32_C(0x23E4CB98), UINT32_C(0x64663DCA), UINT32_C(0x69A4C63C) } }, ++ { { UINT32_C(0x7CB34E63), UINT32_C(0x6C72B6AF), UINT32_C(0x6DFC23FE), ++ UINT32_C(0x073C40CD), UINT32_C(0xC936693A), UINT32_C(0xBDEEE7A1), ++ UINT32_C(0x6EFAD378), UINT32_C(0xBC858E80), UINT32_C(0xF5BE55D4), ++ UINT32_C(0xEAD719FF), UINT32_C(0x04552F5F), UINT32_C(0xC8C3238F) }, ++ { UINT32_C(0x928D5784), UINT32_C(0x0952C068), UINT32_C(0x94C58F2B), ++ UINT32_C(0x89DFDF22), UINT32_C(0x67502C50), UINT32_C(0x332DEDF3), ++ UINT32_C(0xAC0BE258), UINT32_C(0x3ED2FA3A), UINT32_C(0x7C5C8244), ++ UINT32_C(0xAEDC9B8A), UINT32_C(0xDC0EA34F), UINT32_C(0x43A761B9) } }, ++ { { UINT32_C(0xCC5E21A5), UINT32_C(0x8FD683A2), UINT32_C(0xFBA2BB68), ++ UINT32_C(0x5F444C6E), UINT32_C(0xAF05586D), UINT32_C(0x709ACD0E), ++ UINT32_C(0xDE8FB348), UINT32_C(0x8EFA54D2), UINT32_C(0x34CFE29E), ++ UINT32_C(0x35276B71), UINT32_C(0x941EAC8C), UINT32_C(0x77A06FCD) }, ++ { UINT32_C(0x928322DD), UINT32_C(0x5815792D), UINT32_C(0x67F7CB59), ++ UINT32_C(0x82FF356B), UINT32_C(0x304980F4), UINT32_C(0x71E40A78), ++ UINT32_C(0x3667D021), UINT32_C(0xC8645C27), UINT32_C(0xAEBAE28F), ++ UINT32_C(0xE785741C), UINT32_C(0x53ECAC37), UINT32_C(0xB2C1BC75) } }, ++ { { UINT32_C(0x1D0A74DB), UINT32_C(0x633EB24F), UINT32_C(0xFA752512), ++ UINT32_C(0xF1F55E56), UINT32_C(0x8EFE11DE), UINT32_C(0x75FECA68), ++ UINT32_C(0xE6BF19EC), UINT32_C(0xC80FD91C), UINT32_C(0x2A14C908), ++ UINT32_C(0xAD0BAFEC), UINT32_C(0xADE4031F), UINT32_C(0x4E1C4ACA) }, ++ { UINT32_C(0x1EB1549A), UINT32_C(0x463A815B), UINT32_C(0x668F1298), ++ UINT32_C(0x5AD4253C), UINT32_C(0x38A37151), UINT32_C(0x5CB38662), ++ UINT32_C(0xAFF16B96), UINT32_C(0x34BB1CCF), UINT32_C(0xEE731AB0), ++ UINT32_C(0xDCA93B13), UINT32_C(0x9BE01A0B), UINT32_C(0x9F3CE5CC) } }, ++ { { UINT32_C(0xA110D331), UINT32_C(0x75DB5723), UINT32_C(0x7123D89F), ++ UINT32_C(0x67C66F6A), UINT32_C(0x4009D570), UINT32_C(0x27ABBD4B), ++ UINT32_C(0xC73451BC), UINT32_C(0xACDA6F84), UINT32_C(0x05575ACF), ++ UINT32_C(0xE4B9A239), UINT32_C(0xAB2D3D6C), UINT32_C(0x3C2DB7EF) }, ++ { UINT32_C(0x29115145), UINT32_C(0x01CCDD08), UINT32_C(0x57B5814A), ++ UINT32_C(0x9E0602FE), UINT32_C(0x87862838), UINT32_C(0x679B35C2), ++ UINT32_C(0x38AD598D), UINT32_C(0x0277DC4C), UINT32_C(0x6D896DD4), ++ UINT32_C(0xEF80A213), UINT32_C(0xE7B9047B), UINT32_C(0xC8812213) } }, ++ }, ++ { ++ { { UINT32_C(0xEDC9CE62), UINT32_C(0xAC6DBDF6), UINT32_C(0x0F9C006E), ++ UINT32_C(0xA58F5B44), UINT32_C(0xDC28E1B0), UINT32_C(0x16694DE3), ++ UINT32_C(0xA6647711), UINT32_C(0x2D039CF2), UINT32_C(0xC5B08B4B), ++ UINT32_C(0xA13BBE6F), UINT32_C(0x10EBD8CE), UINT32_C(0xE44DA930) }, ++ { UINT32_C(0x19649A16), UINT32_C(0xCD472087), UINT32_C(0x683E5DF1), ++ UINT32_C(0xE18F4E44), UINT32_C(0x929BFA28), UINT32_C(0xB3F66303), ++ UINT32_C(0x818249BF), UINT32_C(0x7C378E43), UINT32_C(0x847F7CD9), ++ UINT32_C(0x76068C80), UINT32_C(0x987EBA16), UINT32_C(0xEE3DB6D1) } }, ++ { { UINT32_C(0xC42A2F52), UINT32_C(0xCBBD8576), UINT32_C(0x9D2B06BB), ++ UINT32_C(0x9ACC6F70), UINT32_C(0x2E6B72A4), UINT32_C(0xE5CB5620), ++ UINT32_C(0x7C024443), UINT32_C(0x5738EA0E), UINT32_C(0xB55368F3), ++ UINT32_C(0x8ED06170), UINT32_C(0x1AEED44F), UINT32_C(0xE54C99BB) }, ++ { UINT32_C(0xE2E0D8B2), UINT32_C(0x3D90A6B2), UINT32_C(0xCF7B2856), ++ UINT32_C(0x21718977), UINT32_C(0xC5612AEC), UINT32_C(0x089093DC), ++ UINT32_C(0x99C1BACC), UINT32_C(0xC272EF6F), UINT32_C(0xDC43EAAD), ++ UINT32_C(0x47DB3B43), UINT32_C(0x0832D891), UINT32_C(0x730F30E4) } }, ++ { { UINT32_C(0x0C7FECDB), UINT32_C(0x9FFE5563), UINT32_C(0xF88101E5), ++ UINT32_C(0x55CC67B6), UINT32_C(0xCBEFA3C7), UINT32_C(0x3039F981), ++ UINT32_C(0x667BFD64), UINT32_C(0x2AB06883), UINT32_C(0x4340E3DF), ++ UINT32_C(0x9007A257), UINT32_C(0x5A3A49CA), UINT32_C(0x1AC3F3FA) }, ++ { UINT32_C(0xC97E20FD), UINT32_C(0x9C7BE629), UINT32_C(0xA3DAE003), ++ UINT32_C(0xF61823D3), UINT32_C(0xE7380DBA), UINT32_C(0xFFE7FF39), ++ UINT32_C(0x9FACC3B8), UINT32_C(0x620BB9B5), UINT32_C(0x31AE422C), ++ UINT32_C(0x2DDCB8CD), UINT32_C(0xD12C3C43), UINT32_C(0x1DE3BCFA) } }, ++ { { UINT32_C(0xD6E0F9A9), UINT32_C(0x8C074946), UINT32_C(0x51C3B05B), ++ UINT32_C(0x662FA995), UINT32_C(0x04BB2048), UINT32_C(0x6CDAE969), ++ UINT32_C(0xD6DC8B60), UINT32_C(0x6DEC9594), UINT32_C(0x54438BBC), ++ UINT32_C(0x8D265869), UINT32_C(0x1B0E95A5), UINT32_C(0x88E983E3) }, ++ { UINT32_C(0x60CBF838), UINT32_C(0x8189F114), UINT32_C(0x771DC46B), ++ UINT32_C(0x77190697), UINT32_C(0x27F8EC1A), UINT32_C(0x775775A2), ++ UINT32_C(0x607E3739), UINT32_C(0x7A125240), UINT32_C(0x4F793E4E), ++ UINT32_C(0xAFAE84E7), UINT32_C(0x5BF5BAF4), UINT32_C(0x44FA17F3) } }, ++ { { UINT32_C(0xD03AC439), UINT32_C(0xA21E69A5), UINT32_C(0x88AA8094), ++ UINT32_C(0x2069C5FC), UINT32_C(0x8C08F206), UINT32_C(0xB041EEA7), ++ UINT32_C(0x3D65B8ED), UINT32_C(0x55B9D461), UINT32_C(0xD392C7C4), ++ UINT32_C(0x951EA25C), UINT32_C(0x9D166232), UINT32_C(0x4B9A1CEC) }, ++ { UINT32_C(0xFCF931A4), UINT32_C(0xC184FCD8), UINT32_C(0x063AD374), ++ UINT32_C(0xBA59AD44), UINT32_C(0x1AA9796F), UINT32_C(0x1868AD2A), ++ UINT32_C(0xDFF29832), UINT32_C(0x38A34018), UINT32_C(0x03DF8070), ++ UINT32_C(0x01FC8801), UINT32_C(0x48DD334A), UINT32_C(0x1282CCE0) } }, ++ { { UINT32_C(0x26D8503C), UINT32_C(0x76AA9557), UINT32_C(0x6BC3E3D0), ++ UINT32_C(0xBE962B63), UINT32_C(0x97DE8841), UINT32_C(0xF5CA93E5), ++ UINT32_C(0xAF3F2C16), UINT32_C(0x1561B05E), UINT32_C(0xD34BFF98), ++ UINT32_C(0x34BE00AA), UINT32_C(0xD23D2925), UINT32_C(0xEA21E6E9) }, ++ { UINT32_C(0x394C3AFB), UINT32_C(0x55713230), UINT32_C(0xD6C8BECA), ++ UINT32_C(0xEAF0529B), UINT32_C(0x202B9A11), UINT32_C(0xFF38A743), ++ UINT32_C(0x6D3A398B), UINT32_C(0xA13E39FC), UINT32_C(0x86E2615A), ++ UINT32_C(0x8CBD644B), UINT32_C(0x191057EC), UINT32_C(0x92063988) } }, ++ { { UINT32_C(0x13F89146), UINT32_C(0x787835CE), UINT32_C(0x69446C3F), ++ UINT32_C(0x7FCD42CC), UINT32_C(0x840E679D), UINT32_C(0x0DA2AA98), ++ UINT32_C(0x18779A1B), UINT32_C(0x44F20523), UINT32_C(0xEFBF5935), ++ UINT32_C(0xE3A3B34F), UINT32_C(0xB9947B70), UINT32_C(0xA5D2CFD0) }, ++ { UINT32_C(0x27F4E16F), UINT32_C(0xAE2AF4EF), UINT32_C(0xB9D21322), ++ UINT32_C(0xA7FA70D2), UINT32_C(0xB3FD566B), UINT32_C(0x68084919), ++ UINT32_C(0xD7AAD6AB), UINT32_C(0xF04D71C8), UINT32_C(0x10BC4260), ++ UINT32_C(0xDBEA21E4), UINT32_C(0x8D949B42), UINT32_C(0xAA7DC665) } }, ++ { { UINT32_C(0x6CCB8213), UINT32_C(0xD8E958A0), UINT32_C(0x91900B54), ++ UINT32_C(0x118D9DB9), UINT32_C(0x85E8CED6), UINT32_C(0x09BB9D49), ++ UINT32_C(0x24019281), UINT32_C(0x410E9FB5), UINT32_C(0x6D74C86E), ++ UINT32_C(0x3B31B4E1), UINT32_C(0x020BB77D), UINT32_C(0x52BC0252) }, ++ { UINT32_C(0x27092CE4), UINT32_C(0x5616A26F), UINT32_C(0xA08F65CD), ++ UINT32_C(0x67774DBC), UINT32_C(0xC08BD569), UINT32_C(0x560AD494), ++ UINT32_C(0xAD498783), UINT32_C(0xBE26DA36), UINT32_C(0x7F019C91), ++ UINT32_C(0x0276C8AB), UINT32_C(0x5248266E), UINT32_C(0x09843ADA) } }, ++ { { UINT32_C(0x7D963CF2), UINT32_C(0xA0AE88A7), UINT32_C(0xD0E84920), ++ UINT32_C(0x91EF8986), UINT32_C(0xF8C58104), UINT32_C(0xC7EFE344), ++ UINT32_C(0xECA20773), UINT32_C(0x0A25D9FD), UINT32_C(0x00D8F1D5), ++ UINT32_C(0x9D989FAA), UINT32_C(0xC8B06264), UINT32_C(0x4204C8CE) }, ++ { UINT32_C(0xBE1A2796), UINT32_C(0x717C12E0), UINT32_C(0xC190C728), ++ UINT32_C(0x1FA4BA8C), UINT32_C(0x8C8A59BA), UINT32_C(0xA245CA8D), ++ UINT32_C(0x7672B935), UINT32_C(0xE3C37475), UINT32_C(0x2E4D6375), ++ UINT32_C(0x083D5E40), UINT32_C(0x5455E16E), UINT32_C(0x0B8D5AB3) } }, ++ { { UINT32_C(0xEED765D4), UINT32_C(0x1DB17DBF), UINT32_C(0xA5DDB965), ++ UINT32_C(0xBBC9B1BE), UINT32_C(0xDFC12ABC), UINT32_C(0x1948F76D), ++ UINT32_C(0x134EF489), UINT32_C(0x2C2714E5), UINT32_C(0x741C600F), ++ UINT32_C(0x60CE2EE8), UINT32_C(0xF80E6E63), UINT32_C(0x32396F22) }, ++ { UINT32_C(0x22537F59), UINT32_C(0x421DAC75), UINT32_C(0x49475DF5), ++ UINT32_C(0x58FB73C6), UINT32_C(0x6F18F1C7), UINT32_C(0x0ABF2885), ++ UINT32_C(0x9A398D16), UINT32_C(0x36474468), UINT32_C(0xBF673B87), ++ UINT32_C(0x87A661A7), UINT32_C(0x73819E17), UINT32_C(0x3E80698F) } }, ++ { { UINT32_C(0x53784CC4), UINT32_C(0xDFE49793), UINT32_C(0x486D508F), ++ UINT32_C(0x4280EAB0), UINT32_C(0xE534F5A4), UINT32_C(0x119593FF), ++ UINT32_C(0x9F63242F), UINT32_C(0x98AEFADD), UINT32_C(0xC4829CAE), ++ UINT32_C(0x9AE6A24A), UINT32_C(0x58E8BA80), UINT32_C(0xF2373CA5) }, ++ { UINT32_C(0x51765FB3), UINT32_C(0x4017AF7E), UINT32_C(0xAF4AEC4B), ++ UINT32_C(0xD1E40F7C), UINT32_C(0x0898E3BC), UINT32_C(0x87372C7A), ++ UINT32_C(0x85452CA9), UINT32_C(0x688982B2), UINT32_C(0xB1E50BCA), ++ UINT32_C(0x71E0B4BF), UINT32_C(0xF70E714A), UINT32_C(0x21FD2DBF) } }, ++ { { UINT32_C(0xFB78DDAC), UINT32_C(0xEE6E8820), UINT32_C(0x063892CD), ++ UINT32_C(0x0BAED29C), UINT32_C(0x28C0588D), UINT32_C(0x5F33049C), ++ UINT32_C(0x18DBC432), UINT32_C(0x90C2515E), UINT32_C(0x3B4CB0BD), ++ UINT32_C(0xB8A1B143), UINT32_C(0x68103043), UINT32_C(0x0AB5C0C9) }, ++ { UINT32_C(0x4005EC40), UINT32_C(0xF3788FA0), UINT32_C(0x039EE115), ++ UINT32_C(0x82571C99), UINT32_C(0x93260BED), UINT32_C(0xEE8FCED5), ++ UINT32_C(0x10836D18), UINT32_C(0x5A9BAF79), UINT32_C(0xC46AA4F6), ++ UINT32_C(0x7C258B09), UINT32_C(0x37F53D31), UINT32_C(0x46ECC5E8) } }, ++ { { UINT32_C(0xBFE0DD98), UINT32_C(0xFA32C0DC), UINT32_C(0x962B1066), ++ UINT32_C(0x66EFAFC4), UINT32_C(0x64BDF5EB), UINT32_C(0xBA81D33E), ++ UINT32_C(0xFC7FC512), UINT32_C(0x36C28536), UINT32_C(0xE0B4FA97), ++ UINT32_C(0x0C95176B), UINT32_C(0x3B9BC64A), UINT32_C(0x47DDE29B) }, ++ { UINT32_C(0x5C173B36), UINT32_C(0x08D986FD), UINT32_C(0x6CF3F28C), ++ UINT32_C(0x46D84B52), UINT32_C(0xF026BDB9), UINT32_C(0x6F6ED6C3), ++ UINT32_C(0x68206DC5), UINT32_C(0xAC90668B), UINT32_C(0xECBE4E70), ++ UINT32_C(0xE8ED5D98), UINT32_C(0xDC1A6974), UINT32_C(0xCFFF61DD) } }, ++ { { UINT32_C(0x77B1A5C1), UINT32_C(0xFF5C3A29), UINT32_C(0x0DDF995D), ++ UINT32_C(0x10C27E4A), UINT32_C(0xE23363E3), UINT32_C(0xCB745F77), ++ UINT32_C(0x32F399A3), UINT32_C(0xD765DF6F), UINT32_C(0x8A99E109), ++ UINT32_C(0xF0CA0C2F), UINT32_C(0x1E025CA0), UINT32_C(0xC3A6BFB7) }, ++ { UINT32_C(0x4F9D9FA5), UINT32_C(0x830B2C0A), UINT32_C(0xBD1A84E5), ++ UINT32_C(0xAE914CAC), UINT32_C(0xA4FEBCC1), UINT32_C(0x30B35ED8), ++ UINT32_C(0x84CFBF2E), UINT32_C(0xCB902B46), UINT32_C(0x25FC6375), ++ UINT32_C(0x0BD47628), UINT32_C(0x85509D04), UINT32_C(0xA858A53C) } }, ++ { { UINT32_C(0x552E0A3F), UINT32_C(0x8B995D0C), UINT32_C(0x17BE9FF7), ++ UINT32_C(0xEDBD4E94), UINT32_C(0x95085178), UINT32_C(0x3432E839), ++ UINT32_C(0x80C256F5), UINT32_C(0x0FE5C181), UINT32_C(0xEBF9597C), ++ UINT32_C(0x05A64EA8), UINT32_C(0x3F80371F), UINT32_C(0x6ED44BB1) }, ++ { UINT32_C(0xFE4C12EE), UINT32_C(0x6A29A05E), UINT32_C(0xE0BB83B3), ++ UINT32_C(0x3E436A43), UINT32_C(0x74D72921), UINT32_C(0x38365D9A), ++ UINT32_C(0xC38E1ED7), UINT32_C(0x3F5EE823), UINT32_C(0xE8FA063F), ++ UINT32_C(0x09A53213), UINT32_C(0xB435E713), UINT32_C(0x1E7FE47A) } }, ++ { { UINT32_C(0xFDDD17F3), UINT32_C(0xE4D9BC94), UINT32_C(0xC1016C20), ++ UINT32_C(0xC74B8FED), UINT32_C(0xB49C060E), UINT32_C(0x095DE39B), ++ UINT32_C(0x8AC0DF00), UINT32_C(0xDBCC6795), UINT32_C(0x1C34F4DF), ++ UINT32_C(0x4CF6BAEB), UINT32_C(0xE8390170), UINT32_C(0x72C55C21) }, ++ { UINT32_C(0xF6C48E79), UINT32_C(0x4F17BFD2), UINT32_C(0x017A80BA), ++ UINT32_C(0x18BF4DA0), UINT32_C(0xBCF4B138), UINT32_C(0xCF51D829), ++ UINT32_C(0xF48F8B0D), UINT32_C(0x598AEE5F), UINT32_C(0x20F10809), ++ UINT32_C(0x83FAEE56), UINT32_C(0x779F0850), UINT32_C(0x4615D4DC) } }, ++ }, ++ { ++ { { UINT32_C(0x5852B59B), UINT32_C(0x22313DEE), UINT32_C(0xB6A0B37F), ++ UINT32_C(0x6F56C8E8), UINT32_C(0xA76EC380), UINT32_C(0x43D6EEAE), ++ UINT32_C(0x0275AD36), UINT32_C(0xA1655136), UINT32_C(0xDF095BDA), ++ UINT32_C(0xE5C1B65A), UINT32_C(0x367C44B0), UINT32_C(0xBD1FFA8D) }, ++ { UINT32_C(0x6B48AF2B), UINT32_C(0xE2B419C2), UINT32_C(0x3DA194C8), ++ UINT32_C(0x57BBBD97), UINT32_C(0xA2BAFF05), UINT32_C(0xB5FBE51F), ++ UINT32_C(0x6269B5D0), UINT32_C(0xA0594D70), UINT32_C(0x23E8D667), ++ UINT32_C(0x0B07B705), UINT32_C(0x63E016E7), UINT32_C(0xAE1976B5) } }, ++ { { UINT32_C(0xFBECAAAE), UINT32_C(0x2FDE4893), UINT32_C(0x30332229), ++ UINT32_C(0x444346DE), UINT32_C(0x09456ED5), UINT32_C(0x157B8A5B), ++ UINT32_C(0x25797C6C), UINT32_C(0x73606A79), UINT32_C(0x33C14C06), ++ UINT32_C(0xA9D0F47C), UINT32_C(0xFAF971CA), UINT32_C(0x7BC8962C) }, ++ { UINT32_C(0x65909DFD), UINT32_C(0x6E763C51), UINT32_C(0x14A9BF42), ++ UINT32_C(0x1BBBE41B), UINT32_C(0xC49E9EFC), UINT32_C(0xD95B7ECB), ++ UINT32_C(0xB38F2B59), UINT32_C(0x0C317927), UINT32_C(0xB3C397DB), ++ UINT32_C(0x97912B53), UINT32_C(0x45C7ABC7), UINT32_C(0xCB3879AA) } }, ++ { { UINT32_C(0x24359B81), UINT32_C(0xCD81BDCF), UINT32_C(0xDB4C321C), ++ UINT32_C(0x6FD326E2), UINT32_C(0xF8EBE39C), UINT32_C(0x4CB0228B), ++ UINT32_C(0xB2CDD852), UINT32_C(0x496A9DCE), UINT32_C(0xD0E9B3AF), ++ UINT32_C(0x0F115A1A), UINT32_C(0xD8EEEF8A), UINT32_C(0xAA08BF36) }, ++ { UINT32_C(0x06E5E739), UINT32_C(0x5232A515), UINT32_C(0x8407A551), ++ UINT32_C(0x21FAE9D5), UINT32_C(0x8994B4E8), UINT32_C(0x289D18B0), ++ UINT32_C(0x09097A52), UINT32_C(0xB4E346A8), UINT32_C(0x324621D0), ++ UINT32_C(0xC641510F), UINT32_C(0x95A41AB8), UINT32_C(0xC567FD4A) } }, ++ { { UINT32_C(0xD57C8DE9), UINT32_C(0x261578C7), UINT32_C(0x3836C5C8), ++ UINT32_C(0xB9BC491F), UINT32_C(0x14C8038F), UINT32_C(0x993266B4), ++ UINT32_C(0xFAA7CC39), UINT32_C(0xBACAD755), UINT32_C(0xD69B7E27), ++ UINT32_C(0x418C4DEF), UINT32_C(0xAE751533), UINT32_C(0x53FDC5CD) }, ++ { UINT32_C(0xC3EEA63A), UINT32_C(0x6F3BD329), UINT32_C(0xE53DD29E), ++ UINT32_C(0xA7A22091), UINT32_C(0xDC4C54EC), UINT32_C(0xB7164F73), ++ UINT32_C(0x44D3D74E), UINT32_C(0xCA66290D), UINT32_C(0x4C9EA511), ++ UINT32_C(0xF77C6242), UINT32_C(0x1F714C49), UINT32_C(0x34337F55) } }, ++ { { UINT32_C(0xA64B6C4B), UINT32_C(0x5ED2B216), UINT32_C(0x3AAE640D), ++ UINT32_C(0x1C38794F), UINT32_C(0x8905794F), UINT32_C(0x30BBAEE0), ++ UINT32_C(0xC8699CFB), UINT32_C(0x0D9EE41E), UINT32_C(0xCF7B7C29), ++ UINT32_C(0xAF38DAF2), UINT32_C(0x43E53513), UINT32_C(0x0D6A05CA) }, ++ { UINT32_C(0x2606AB56), UINT32_C(0xBE96C644), UINT32_C(0xE9EB9734), ++ UINT32_C(0x13E7A072), UINT32_C(0x5FF50CD7), UINT32_C(0xF9669445), ++ UINT32_C(0x47DA6F1D), UINT32_C(0x68EF26B5), UINT32_C(0x23687CB7), ++ UINT32_C(0xF0028738), UINT32_C(0x6217C1CE), UINT32_C(0x5ED9C876) } }, ++ { { UINT32_C(0x0A3A9691), UINT32_C(0x423BA513), UINT32_C(0xB3179296), ++ UINT32_C(0xF421B1E7), UINT32_C(0x1A871E1B), UINT32_C(0x6B51BCDB), ++ UINT32_C(0x464E4300), UINT32_C(0x6E3BB5B5), UINT32_C(0xFC6C54CC), ++ UINT32_C(0x24171E2E), UINT32_C(0xD3E58DC2), UINT32_C(0xA9DFA947) }, ++ { UINT32_C(0x9DE9CFA7), UINT32_C(0x175B3309), UINT32_C(0x2D1015DA), ++ UINT32_C(0x707B2529), UINT32_C(0x993EA65A), UINT32_C(0xCBB95F17), ++ UINT32_C(0x0447450D), UINT32_C(0x93515063), UINT32_C(0x1B2753C9), ++ UINT32_C(0x0F47B205), UINT32_C(0xE7D427CF), UINT32_C(0x4A0BAB14) } }, ++ { { UINT32_C(0xB5AA7CA1), UINT32_C(0xA39DEF39), UINT32_C(0xC47C33DF), ++ UINT32_C(0x591CB173), UINT32_C(0x6BBAB872), UINT32_C(0xA09DAC79), ++ UINT32_C(0x7208BA2F), UINT32_C(0x3EF9D7CF), UINT32_C(0x7A0A34FC), ++ UINT32_C(0x3CC18931), UINT32_C(0xBCC3380F), UINT32_C(0xAE31C62B) }, ++ { UINT32_C(0x0287C0B4), UINT32_C(0xD72A6794), UINT32_C(0x68E334F1), ++ UINT32_C(0x3373382C), UINT32_C(0xBD20C6A6), UINT32_C(0xD0310CA8), ++ UINT32_C(0x42C033FD), UINT32_C(0xA2734B87), UINT32_C(0x8DCE4509), ++ UINT32_C(0xA5D390F1), UINT32_C(0x3E1AFCB5), UINT32_C(0xFC84E74B) } }, ++ { { UINT32_C(0xF2CD8A9C), UINT32_C(0xB028334D), UINT32_C(0x570F76F6), ++ UINT32_C(0xB8719291), UINT32_C(0x01065A2D), UINT32_C(0x662A386E), ++ UINT32_C(0x53D940AE), UINT32_C(0xDF1634CB), UINT32_C(0x8F5B41F9), ++ UINT32_C(0x625A7B83), UINT32_C(0xEE6AA1B4), UINT32_C(0xA033E4FE) }, ++ { UINT32_C(0x1E42BABB), UINT32_C(0x51E9D463), UINT32_C(0x0D388468), ++ UINT32_C(0x660BC2E4), UINT32_C(0xFCBB114A), UINT32_C(0x3F702189), ++ UINT32_C(0xB414CA78), UINT32_C(0x6B46FE35), UINT32_C(0x4A57316B), ++ UINT32_C(0x328F6CF2), UINT32_C(0x381AD156), UINT32_C(0x917423B5) } }, ++ { { UINT32_C(0x5373A607), UINT32_C(0xAC19306E), UINT32_C(0x191D0969), ++ UINT32_C(0x471DF8E3), UINT32_C(0xB9720D83), UINT32_C(0x380ADE35), ++ UINT32_C(0x48F1FD5C), UINT32_C(0x7423FDF5), UINT32_C(0x49CABC95), ++ UINT32_C(0x8B090C9F), UINT32_C(0xC9842F2F), UINT32_C(0xB768E8CD) }, ++ { UINT32_C(0xE56162D6), UINT32_C(0x399F456D), UINT32_C(0x4F326791), ++ UINT32_C(0xBB6BA240), UINT32_C(0x342590BE), UINT32_C(0x8F4FBA3B), ++ UINT32_C(0x3DFB6B3E), UINT32_C(0x053986B9), UINT32_C(0x190C7425), ++ UINT32_C(0xBB6739F1), UINT32_C(0x32F7E95F), UINT32_C(0x32D4A553) } }, ++ { { UINT32_C(0x0DDBFB21), UINT32_C(0x0205A0EC), UINT32_C(0x33AC3407), ++ UINT32_C(0x3010327D), UINT32_C(0x3348999B), UINT32_C(0xCF2F4DB3), ++ UINT32_C(0x1551604A), UINT32_C(0x660DB9F4), UINT32_C(0x5D38D335), ++ UINT32_C(0xC346C69A), UINT32_C(0x38882479), UINT32_C(0x64AAB3D3) }, ++ { UINT32_C(0x6AE44403), UINT32_C(0xA096B5E7), UINT32_C(0x645F76CD), ++ UINT32_C(0x6B4C9571), UINT32_C(0x4711120F), UINT32_C(0x72E1CD5F), ++ UINT32_C(0xF27CC3E1), UINT32_C(0x93EC42AC), UINT32_C(0xA72ABB12), ++ UINT32_C(0x2D18D004), UINT32_C(0xC9841A04), UINT32_C(0x232E9568) } }, ++ { { UINT32_C(0x3CC7F908), UINT32_C(0xFF01DB22), UINT32_C(0xD13CDD3B), ++ UINT32_C(0x9F214F8F), UINT32_C(0xE0B014B5), UINT32_C(0x38DADBB7), ++ UINT32_C(0x94245C95), UINT32_C(0x2C548CCC), UINT32_C(0x809AFCE3), ++ UINT32_C(0x714BE331), UINT32_C(0x9BFE957E), UINT32_C(0xBCC64410) }, ++ { UINT32_C(0x5B957F80), UINT32_C(0xC21C2D21), UINT32_C(0xBB8A4C42), ++ UINT32_C(0xBA2D4FDC), UINT32_C(0x74817CEC), UINT32_C(0xFA6CD4AF), ++ UINT32_C(0xC528EAD6), UINT32_C(0x9E7FB523), UINT32_C(0x7714B10E), ++ UINT32_C(0xAED781FF), UINT32_C(0x94F04455), UINT32_C(0xB52BB592) } }, ++ { { UINT32_C(0x868CC68B), UINT32_C(0xA578BD69), UINT32_C(0x603F2C08), ++ UINT32_C(0xA40FDC8D), UINT32_C(0x2D81B042), UINT32_C(0x53D79BD1), ++ UINT32_C(0xA7587EAB), UINT32_C(0x1B136AF3), UINT32_C(0x868A16DB), ++ UINT32_C(0x1ED4F939), UINT32_C(0xD0B98273), UINT32_C(0x775A61FB) }, ++ { UINT32_C(0xE56BEF8C), UINT32_C(0xBA5C12A6), UINT32_C(0xDDDC8595), ++ UINT32_C(0xF926CE52), UINT32_C(0x586FE1F8), UINT32_C(0xA13F5C8F), ++ UINT32_C(0x060DBB54), UINT32_C(0xEAC9F7F2), UINT32_C(0x51AF4342), ++ UINT32_C(0x70C0AC3A), UINT32_C(0x79CDA450), UINT32_C(0xC16E303C) } }, ++ { { UINT32_C(0x8113F4EA), UINT32_C(0xD0DADD6C), UINT32_C(0x07BDF09F), ++ UINT32_C(0xF14E3922), UINT32_C(0xAA7D877C), UINT32_C(0x3FE5E9C2), ++ UINT32_C(0x48779264), UINT32_C(0x9EA95C19), UINT32_C(0x4FCB8344), ++ UINT32_C(0xE93F65A7), UINT32_C(0x76D925A4), UINT32_C(0x9F40837E) }, ++ { UINT32_C(0x8271FFC7), UINT32_C(0x0EA6DA3F), UINT32_C(0xCC8F9B19), ++ UINT32_C(0x557FA529), UINT32_C(0x78E6DDFD), UINT32_C(0x2613DBF1), ++ UINT32_C(0x36B1E954), UINT32_C(0x7A7523B8), UINT32_C(0x406A87FB), ++ UINT32_C(0x20EB3168), UINT32_C(0x03ABA56A), UINT32_C(0x64C21C14) } }, ++ { { UINT32_C(0xC032DD5F), UINT32_C(0xE86C9C2D), UINT32_C(0x86F16A21), ++ UINT32_C(0x158CEB8E), UINT32_C(0x68326AF1), UINT32_C(0x0279FF53), ++ UINT32_C(0x59F12BA5), UINT32_C(0x1FFE2E2B), UINT32_C(0x86826D45), ++ UINT32_C(0xD75A46DB), UINT32_C(0x1E33E6AC), UINT32_C(0xE19B4841) }, ++ { UINT32_C(0x0E52991C), UINT32_C(0x5F0CC524), UINT32_C(0x8B116286), ++ UINT32_C(0x645871F9), UINT32_C(0xFCAEC5D3), UINT32_C(0xAB3B4B1E), ++ UINT32_C(0x51D0F698), UINT32_C(0x994C8DF0), UINT32_C(0xE5D13040), ++ UINT32_C(0x06F890AF), UINT32_C(0x5F96C7C2), UINT32_C(0x72D9DC23) } }, ++ { { UINT32_C(0xE7886A80), UINT32_C(0x7C018DEE), UINT32_C(0x8786E4A3), ++ UINT32_C(0xFA209330), UINT32_C(0xA4415CA1), UINT32_C(0xCEC8E2A3), ++ UINT32_C(0xCC83CC60), UINT32_C(0x5C736FC1), UINT32_C(0xF00C259F), ++ UINT32_C(0xFEF9788C), UINT32_C(0xDD29A6AD), UINT32_C(0xED5C01CB) }, ++ { UINT32_C(0x3E20825B), UINT32_C(0x87834A03), UINT32_C(0x123F9358), ++ UINT32_C(0x13B1239D), UINT32_C(0xFBC286C1), UINT32_C(0x7E8869D0), ++ UINT32_C(0x24CE8609), UINT32_C(0xC4AB5AA3), UINT32_C(0xB6349208), ++ UINT32_C(0x38716BEE), UINT32_C(0xB322AE21), UINT32_C(0x0BDF4F99) } }, ++ { { UINT32_C(0x53E3494B), UINT32_C(0x6B97A2BF), UINT32_C(0x70F7A13E), ++ UINT32_C(0xA8AA05C5), UINT32_C(0xF1305B51), UINT32_C(0x209709C2), ++ UINT32_C(0xDAB76F2C), UINT32_C(0x57B31888), UINT32_C(0xAA2A406A), ++ UINT32_C(0x75B2ECD7), UINT32_C(0xA35374A4), UINT32_C(0x88801A00) }, ++ { UINT32_C(0x45C0471B), UINT32_C(0xE1458D1C), UINT32_C(0x322C1AB0), ++ UINT32_C(0x5760E306), UINT32_C(0xAD6AB0A6), UINT32_C(0x789A0AF1), ++ UINT32_C(0xF458B9CE), UINT32_C(0x74398DE1), UINT32_C(0x32E0C65F), ++ UINT32_C(0x1652FF9F), UINT32_C(0xFFFB3A52), UINT32_C(0xFAF1F9D5) } }, ++ }, ++ { ++ { { UINT32_C(0xD1D1B007), UINT32_C(0xA05C751C), UINT32_C(0x0213E478), ++ UINT32_C(0x016C213B), UINT32_C(0xF4C98FEE), UINT32_C(0x9C56E26C), ++ UINT32_C(0xE7B3A7C7), UINT32_C(0x6084F8B9), UINT32_C(0xDECC1646), ++ UINT32_C(0xA0B042F6), UINT32_C(0xFBF3A0BC), UINT32_C(0x4A6F3C1A) }, ++ { UINT32_C(0x51C9F909), UINT32_C(0x94524C2C), UINT32_C(0x3A6D3748), ++ UINT32_C(0xF3B3AD40), UINT32_C(0x7CE1F9F5), UINT32_C(0x18792D6E), ++ UINT32_C(0xFC0C34FA), UINT32_C(0x8EBC2FD7), UINT32_C(0x780A1693), ++ UINT32_C(0x032A9F41), UINT32_C(0x56A60019), UINT32_C(0x34F9801E) } }, ++ { { UINT32_C(0xF0DB3751), UINT32_C(0xB398290C), UINT32_C(0xBA42C976), ++ UINT32_C(0x01170580), UINT32_C(0x56560B89), UINT32_C(0x3E71AA29), ++ UINT32_C(0x50E6647B), UINT32_C(0x80817AAC), UINT32_C(0xA0BE42DA), ++ UINT32_C(0x35C833AD), UINT32_C(0xF1BABA4E), UINT32_C(0xFA3C6148) }, ++ { UINT32_C(0xCD8F6253), UINT32_C(0xC57BE645), UINT32_C(0xC657AD0D), ++ UINT32_C(0x77CEE46B), UINT32_C(0x0DEFD908), UINT32_C(0x83007731), ++ UINT32_C(0x899CBA56), UINT32_C(0x92FE9BCE), UINT32_C(0xBCEFFB5A), ++ UINT32_C(0x48450EC4), UINT32_C(0xF2F5F4BF), UINT32_C(0xE615148D) } }, ++ { { UINT32_C(0x90B86166), UINT32_C(0xF55EDABB), UINT32_C(0x075430A2), ++ UINT32_C(0x27F7D784), UINT32_C(0x9BF17161), UINT32_C(0xF53E822B), ++ UINT32_C(0xAFE808DC), UINT32_C(0x4A5B3B93), UINT32_C(0xD7272F55), ++ UINT32_C(0x590BBBDE), UINT32_C(0xEAEA79A1), UINT32_C(0x233D63FA) }, ++ { UINT32_C(0xFE1EBA07), UINT32_C(0xD7042BEA), UINT32_C(0x10750D7E), ++ UINT32_C(0xD2B9AEA0), UINT32_C(0x31078AA5), UINT32_C(0xD8D1E690), ++ UINT32_C(0x7E37BC8B), UINT32_C(0x9E837F18), UINT32_C(0x85008975), ++ UINT32_C(0x9558FF4F), UINT32_C(0x421FE867), UINT32_C(0x93EDB837) } }, ++ { { UINT32_C(0x83D55B5A), UINT32_C(0xAA6489DF), UINT32_C(0x86BF27F7), ++ UINT32_C(0xEA092E49), UINT32_C(0x5FA2EFEC), UINT32_C(0x4D8943A9), ++ UINT32_C(0x720E1A8C), UINT32_C(0xC9BAAE53), UINT32_C(0x95A4F8A3), ++ UINT32_C(0xC055444B), UINT32_C(0xA7C1206B), UINT32_C(0x93BD01E8) }, ++ { UINT32_C(0x714A27DF), UINT32_C(0xD97765B6), UINT32_C(0x193F1B16), ++ UINT32_C(0xD622D954), UINT32_C(0xF1503B15), UINT32_C(0x115CC35A), ++ UINT32_C(0xA9FA21F8), UINT32_C(0x1DD5359F), UINT32_C(0x6DFED1F1), ++ UINT32_C(0x197C3299), UINT32_C(0xF77F2679), UINT32_C(0xDEE8B7C9) } }, ++ { { UINT32_C(0x394FD855), UINT32_C(0x5405179F), UINT32_C(0x49FDFB33), ++ UINT32_C(0xC9D6E244), UINT32_C(0xBD903393), UINT32_C(0x70EBCAB4), ++ UINT32_C(0xA2C56780), UINT32_C(0x0D3A3899), UINT32_C(0x683D1A0A), ++ UINT32_C(0x012C7256), UINT32_C(0x80A48F3B), UINT32_C(0xC688FC88) }, ++ { UINT32_C(0x6F7DF527), UINT32_C(0x18095754), UINT32_C(0x71315D16), ++ UINT32_C(0x9E339B4B), UINT32_C(0xA956BB12), UINT32_C(0x90560C28), ++ UINT32_C(0xD42EEE8D), UINT32_C(0x2BECEA60), UINT32_C(0x50632653), ++ UINT32_C(0x82AEB9A7), UINT32_C(0xDFA5CD6A), UINT32_C(0xED34353E) } }, ++ { { UINT32_C(0x91AECCE4), UINT32_C(0x82154D2C), UINT32_C(0x5041887F), ++ UINT32_C(0x312C6070), UINT32_C(0xFB9FBD71), UINT32_C(0xECF589F3), ++ UINT32_C(0xB524BDE4), UINT32_C(0x67660A7D), UINT32_C(0x724ACF23), ++ UINT32_C(0xE99B029D), UINT32_C(0x6D1CD891), UINT32_C(0xDF06E4AF) }, ++ { UINT32_C(0x80EE304D), UINT32_C(0x07806CB5), UINT32_C(0x7443A8F8), ++ UINT32_C(0x0C70BB9F), UINT32_C(0x08B0830A), UINT32_C(0x01EC3414), ++ UINT32_C(0x5A81510B), UINT32_C(0xFD7B63C3), UINT32_C(0x453B5F93), ++ UINT32_C(0xE90A0A39), UINT32_C(0x9BC71725), UINT32_C(0xAB700F8F) } }, ++ { { UINT32_C(0xB9F00793), UINT32_C(0x9401AEC2), UINT32_C(0xB997F0BF), ++ UINT32_C(0x064EC4F4), UINT32_C(0x849240C8), UINT32_C(0xDC0CC1FD), ++ UINT32_C(0xB6E92D72), UINT32_C(0x39A75F37), UINT32_C(0x0224A4AB), ++ UINT32_C(0xAA43CA5D), UINT32_C(0x54614C47), UINT32_C(0x9C4D6325) }, ++ { UINT32_C(0xC6709DA3), UINT32_C(0x1767366F), UINT32_C(0x23479232), ++ UINT32_C(0xA6B482D1), UINT32_C(0x84D63E85), UINT32_C(0x54DC6DDC), ++ UINT32_C(0xC99D3B9E), UINT32_C(0x0ACCB5AD), UINT32_C(0xE8AA3ABF), ++ UINT32_C(0x211716BB), UINT32_C(0x69EC6406), UINT32_C(0xD0FE25AD) } }, ++ { { UINT32_C(0xDF85C705), UINT32_C(0x0D5C1769), UINT32_C(0xA409DCD1), ++ UINT32_C(0x7086C93D), UINT32_C(0x0E8D75D8), UINT32_C(0x9710839D), ++ UINT32_C(0xEBDD4177), UINT32_C(0x17B7DB75), UINT32_C(0xF649A809), ++ UINT32_C(0xAF69EB58), UINT32_C(0x8A84E220), UINT32_C(0x6EF19EA2) }, ++ { UINT32_C(0x65C278B2), UINT32_C(0x36EB5C66), UINT32_C(0x81EA9D65), ++ UINT32_C(0xD2A15128), UINT32_C(0x769300AD), UINT32_C(0x4FCBA840), ++ UINT32_C(0xC8E536E5), UINT32_C(0xC2052CCD), UINT32_C(0xAC263B8F), ++ UINT32_C(0x9CAEE014), UINT32_C(0xF9239663), UINT32_C(0x56F7ED7A) } }, ++ { { UINT32_C(0xAC9E09E1), UINT32_C(0xF6FA251F), UINT32_C(0x955A2853), ++ UINT32_C(0xA3775605), UINT32_C(0xF2A4BD78), UINT32_C(0x977B8D21), ++ UINT32_C(0x3E096410), UINT32_C(0xF68AA7FF), UINT32_C(0x65F88419), ++ UINT32_C(0x01AB0552), UINT32_C(0xBB93F64E), UINT32_C(0xC4C8D77E) }, ++ { UINT32_C(0x3451FE64), UINT32_C(0x71825111), UINT32_C(0x46F9BAF0), ++ UINT32_C(0xFA0F905B), UINT32_C(0xCA49EF1A), UINT32_C(0x79BE3BF3), ++ UINT32_C(0x6CB02071), UINT32_C(0x831109B2), UINT32_C(0xC4DDBFE5), ++ UINT32_C(0x765F935F), UINT32_C(0x80E5A3BA), UINT32_C(0x6F99CD14) } }, ++ { { UINT32_C(0x234F91FF), UINT32_C(0xD2E8DA04), UINT32_C(0x813867AA), ++ UINT32_C(0x4DED4D6D), UINT32_C(0xE0A0D945), UINT32_C(0x3B50175D), ++ UINT32_C(0x4EB78137), UINT32_C(0x55AC7406), UINT32_C(0xE1D47730), ++ UINT32_C(0xE9FA7F6E), UINT32_C(0x5CBF2176), UINT32_C(0x2C171531) }, ++ { UINT32_C(0x2BE7A47D), UINT32_C(0xA521788F), UINT32_C(0x3FCF1AB3), ++ UINT32_C(0x95B15A27), UINT32_C(0xF28A946A), UINT32_C(0xAADA6401), ++ UINT32_C(0x8B4E898B), UINT32_C(0x628B2EF4), UINT32_C(0x6D6592CC), ++ UINT32_C(0x0E6F4629), UINT32_C(0xA723CADD), UINT32_C(0x997C7094) } }, ++ { { UINT32_C(0x6AFE80C6), UINT32_C(0x878BCE11), UINT32_C(0x007BBA38), ++ UINT32_C(0xA89ABC9D), UINT32_C(0xA7CC267F), UINT32_C(0xB0C1F87B), ++ UINT32_C(0x5104FF04), UINT32_C(0x86D33B9D), UINT32_C(0x2EF1BA42), ++ UINT32_C(0xB0504B1B), UINT32_C(0xB2827E88), UINT32_C(0x21693048) }, ++ { UINT32_C(0x79CFCD14), UINT32_C(0x11F1CCD5), UINT32_C(0x94AD227E), ++ UINT32_C(0x59C09FFA), UINT32_C(0x3EA91ACF), UINT32_C(0x95A4ADCB), ++ UINT32_C(0xB4370BAA), UINT32_C(0x1346238B), UINT32_C(0x3E1367B0), ++ UINT32_C(0xB099D202), UINT32_C(0x90F23CEA), UINT32_C(0xCF5BBDE6) } }, ++ { { UINT32_C(0xBCB3BE5E), UINT32_C(0x453299BB), UINT32_C(0x38E9FF97), ++ UINT32_C(0x123C588E), UINT32_C(0xF6A2E521), UINT32_C(0x8C115DD9), ++ UINT32_C(0xFF7D4B98), UINT32_C(0x6E333C11), UINT32_C(0xDA73E736), ++ UINT32_C(0x9DD061E5), UINT32_C(0x5CA53056), UINT32_C(0xC6AB7B3A) }, ++ { UINT32_C(0x5B30A76B), UINT32_C(0xF1EF3EE3), UINT32_C(0x961BA11F), ++ UINT32_C(0xADD6B44A), UINT32_C(0x2CA6E030), UINT32_C(0x7BB00B75), ++ UINT32_C(0x2FE270AD), UINT32_C(0x270272E8), UINT32_C(0x241A9239), ++ UINT32_C(0x23BC6F4F), UINT32_C(0x0BB94A94), UINT32_C(0x88581E13) } }, ++ { { UINT32_C(0x24EEF67F), UINT32_C(0xBD225A69), UINT32_C(0x0412CEB7), ++ UINT32_C(0x7CFD9614), UINT32_C(0x99AC298E), UINT32_C(0xF6DE1679), ++ UINT32_C(0xED6C3571), UINT32_C(0xB20FD895), UINT32_C(0x61836C56), ++ UINT32_C(0x03C73B78), UINT32_C(0xABA6CB34), UINT32_C(0xEE3C3A16) }, ++ { UINT32_C(0x4138408A), UINT32_C(0x9E8C5667), UINT32_C(0x2DD6EBDF), ++ UINT32_C(0xEC25FCB1), UINT32_C(0xDBBDF6E3), UINT32_C(0xC54C33FD), ++ UINT32_C(0x4A3C9DD4), UINT32_C(0x93E0913B), UINT32_C(0x35EDEED4), ++ UINT32_C(0x66D7D135), UINT32_C(0x453FB66E), UINT32_C(0xD29A36C4) } }, ++ { { UINT32_C(0x9F1943AF), UINT32_C(0x7F192F03), UINT32_C(0x4E0B5FB0), ++ UINT32_C(0x6488163F), UINT32_C(0x53599226), UINT32_C(0x66A45C69), ++ UINT32_C(0x9AD15A73), UINT32_C(0x924E2E43), UINT32_C(0x42A99D76), ++ UINT32_C(0x8B553DB7), UINT32_C(0x0451F521), UINT32_C(0x4BC6B53B) }, ++ { UINT32_C(0x101F8AD6), UINT32_C(0xC029B5EF), UINT32_C(0xC507EED9), ++ UINT32_C(0x6A4DA71C), UINT32_C(0x30BB22F3), UINT32_C(0x3ADFAEC0), ++ UINT32_C(0xB514F85B), UINT32_C(0x81BCAF7A), UINT32_C(0x5A7E60D3), ++ UINT32_C(0x2E1E6EFF), UINT32_C(0xAE39D42F), UINT32_C(0x5270ABC0) } }, ++ { { UINT32_C(0x3901F0F8), UINT32_C(0x86D56DEB), UINT32_C(0xEED5F650), ++ UINT32_C(0x1D0BC792), UINT32_C(0xCA1114A3), UINT32_C(0x1A2DDFD8), ++ UINT32_C(0xF1DD316D), UINT32_C(0x94ABF4B1), UINT32_C(0x3D9F18EF), ++ UINT32_C(0xF72179E4), UINT32_C(0x9AA2CABF), UINT32_C(0x52A0921E) }, ++ { UINT32_C(0xA7452883), UINT32_C(0xECDA9E27), UINT32_C(0xAFD771B4), ++ UINT32_C(0x7E90850A), UINT32_C(0x9CC0465C), UINT32_C(0xD40F87EA), ++ UINT32_C(0x865CDA36), UINT32_C(0x8CFCB60A), UINT32_C(0x7C650942), ++ UINT32_C(0x3DBEC2CC), UINT32_C(0xE718CA9D), UINT32_C(0x071A4EE7) } }, ++ { { UINT32_C(0x276AC5F3), UINT32_C(0x73C0E4FF), UINT32_C(0xBDB97EA1), ++ UINT32_C(0xE7BA5A6A), UINT32_C(0xC5808398), UINT32_C(0x638CA54E), ++ UINT32_C(0x413855E5), UINT32_C(0x8258DC82), UINT32_C(0x57F07614), ++ UINT32_C(0x35DDD2E9), UINT32_C(0x1DC13BF9), UINT32_C(0xF98DD692) }, ++ { UINT32_C(0xF16DCD84), UINT32_C(0x3A4C0088), UINT32_C(0x833D83F9), ++ UINT32_C(0xF192EADD), UINT32_C(0xA6D61D29), UINT32_C(0x3C26C931), ++ UINT32_C(0xDE0AD7A1), UINT32_C(0x589FDD52), UINT32_C(0x0442D37F), ++ UINT32_C(0x7CD83DD2), UINT32_C(0x403ECBFC), UINT32_C(0x1E47E777) } }, ++ }, ++ { ++ { { UINT32_C(0x70D4D7BC), UINT32_C(0x2AF8ED81), UINT32_C(0xB632435C), ++ UINT32_C(0xABC3E15F), UINT32_C(0x78219356), UINT32_C(0x4C0E726F), ++ UINT32_C(0xB87254C4), UINT32_C(0x8C1962A1), UINT32_C(0xC9E7691A), ++ UINT32_C(0x30796A71), UINT32_C(0xA75A12EE), UINT32_C(0xD453EF19) }, ++ { UINT32_C(0x13AE4964), UINT32_C(0x535F42C2), UINT32_C(0x0DA9586A), ++ UINT32_C(0x86831C3C), UINT32_C(0xE39A7A58), UINT32_C(0xB7F1EF35), ++ UINT32_C(0xD459B91A), UINT32_C(0xA2789AE2), UINT32_C(0x02FD429D), ++ UINT32_C(0xEADBCA7F), UINT32_C(0x65290F57), UINT32_C(0x94F215D4) } }, ++ { { UINT32_C(0x1CFB79AC), UINT32_C(0x37ED2BE5), UINT32_C(0xE7AF84C3), ++ UINT32_C(0x801946F3), UINT32_C(0xE77C2F00), UINT32_C(0xB061AD8A), ++ UINT32_C(0x44DE16A8), UINT32_C(0xE87E1A9A), UINT32_C(0x7EE490FF), ++ UINT32_C(0xDF4F57C8), UINT32_C(0x005993ED), UINT32_C(0x4E793B49) }, ++ { UINT32_C(0xBCCB593F), UINT32_C(0xE1036387), UINT32_C(0x95E09B80), ++ UINT32_C(0xF1749411), UINT32_C(0x5AB42F91), UINT32_C(0x59CB20D1), ++ UINT32_C(0xAC0FF033), UINT32_C(0xA738A18D), UINT32_C(0x2AC1E7F4), ++ UINT32_C(0xDA501A2E), UINT32_C(0x84D8A6E0), UINT32_C(0x1B67EDA0) } }, ++ { { UINT32_C(0x1080E90B), UINT32_C(0x1D27EFCE), UINT32_C(0x3FD01DC6), ++ UINT32_C(0xA2815246), UINT32_C(0xCAA26D18), UINT32_C(0x99A3FB83), ++ UINT32_C(0xB82BABBE), UINT32_C(0xD27E6133), UINT32_C(0xD783DD60), ++ UINT32_C(0x61030DFD), UINT32_C(0x73C78CB8), UINT32_C(0x295A2913) }, ++ { UINT32_C(0x68BE6A92), UINT32_C(0x8707A2CF), UINT32_C(0xEEB3474A), ++ UINT32_C(0xC9C2FB98), UINT32_C(0xA2B176B8), UINT32_C(0x7C3FD412), ++ UINT32_C(0xC7202101), UINT32_C(0xD5B52E2F), UINT32_C(0xF0A6D536), ++ UINT32_C(0x24A63030), UINT32_C(0x04648EC0), UINT32_C(0x05842DE3) } }, ++ { { UINT32_C(0x30577AC9), UINT32_C(0x67477CDC), UINT32_C(0x244F92A8), ++ UINT32_C(0x51DD9775), UINT32_C(0x917EEC66), UINT32_C(0x31FD60B9), ++ UINT32_C(0xD66C5C1D), UINT32_C(0xACD95BD4), UINT32_C(0xBF9508BA), ++ UINT32_C(0x2E0551F3), UINT32_C(0x688CB243), UINT32_C(0x121168E1) }, ++ { UINT32_C(0x4540D230), UINT32_C(0x8C039740), UINT32_C(0x009ECDF9), ++ UINT32_C(0xC4ED3CF6), UINT32_C(0x44DB62AF), UINT32_C(0x191825E1), ++ UINT32_C(0xC4A030DA), UINT32_C(0x3EE8ACAB), UINT32_C(0x94081504), ++ UINT32_C(0x8AB154A8), UINT32_C(0x486C9CD0), UINT32_C(0x1FE09E4B) } }, ++ { { UINT32_C(0xD113450B), UINT32_C(0x512F82F9), UINT32_C(0x2DBC9197), ++ UINT32_C(0x5878C901), UINT32_C(0xE13F355B), UINT32_C(0xDB87412B), ++ UINT32_C(0x935B8A5E), UINT32_C(0x0A0A4A9B), UINT32_C(0xF25A5351), ++ UINT32_C(0x818587BD), UINT32_C(0x31E3D9C7), UINT32_C(0xE8079310) }, ++ { UINT32_C(0x611BC1B1), UINT32_C(0x8B1D47C7), UINT32_C(0x72A823F2), ++ UINT32_C(0x51722B58), UINT32_C(0x53B36B3E), UINT32_C(0x6F97EE8A), ++ UINT32_C(0x946DD453), UINT32_C(0x6E085AAC), UINT32_C(0xE65E6533), ++ UINT32_C(0x2EC5057D), UINT32_C(0x4BB18801), UINT32_C(0xF82D9D71) } }, ++ { { UINT32_C(0x8BA5AA8E), UINT32_C(0xAD81FA93), UINT32_C(0x8F7AA69E), ++ UINT32_C(0x723E628E), UINT32_C(0xEF35937C), UINT32_C(0x0BA7C2DE), ++ UINT32_C(0x6DECFB40), UINT32_C(0x83A43EC5), UINT32_C(0xE60C4F2D), ++ UINT32_C(0xF520F849), UINT32_C(0x457E3B5E), UINT32_C(0x8260E8AE) }, ++ { UINT32_C(0xBF1D9ED7), UINT32_C(0x7CE874F0), UINT32_C(0x7F1A5466), ++ UINT32_C(0x5FDE3553), UINT32_C(0x0C162DBB), UINT32_C(0x5A63777C), ++ UINT32_C(0xDAD87289), UINT32_C(0x0FD04F8C), UINT32_C(0x640761D5), ++ UINT32_C(0xCA2D9E0E), UINT32_C(0x38501ADB), UINT32_C(0x4615CFF8) } }, ++ { { UINT32_C(0x110B4A25), UINT32_C(0x9422789B), UINT32_C(0x70AD8CC1), ++ UINT32_C(0x5C26779F), UINT32_C(0xEC4F1E14), UINT32_C(0x4EE6A748), ++ UINT32_C(0x5C7AB5E0), UINT32_C(0xFB584A0D), UINT32_C(0xFB21EE66), ++ UINT32_C(0xED1DCB0B), UINT32_C(0x11C6863C), UINT32_C(0xDBED1F00) }, ++ { UINT32_C(0xB1B1D187), UINT32_C(0xD2969269), UINT32_C(0xAFE964E6), ++ UINT32_C(0xF7D0C3F2), UINT32_C(0x12BB865E), UINT32_C(0xE05EE93F), ++ UINT32_C(0xED79118E), UINT32_C(0x1AFB7BEE), UINT32_C(0x0F0FE453), ++ UINT32_C(0x220AF138), UINT32_C(0x52782AB9), UINT32_C(0x1463AA1A) } }, ++ { { UINT32_C(0xD7DBE5F9), UINT32_C(0x7C139D56), UINT32_C(0x0B83685B), ++ UINT32_C(0xFC16E611), UINT32_C(0x9018463C), UINT32_C(0xFA723C02), ++ UINT32_C(0x840BF5D7), UINT32_C(0xC472458C), UINT32_C(0x0AF07591), ++ UINT32_C(0x4D809359), UINT32_C(0x3308DFD9), UINT32_C(0x418D8830) }, ++ { UINT32_C(0x0C365AE3), UINT32_C(0x9B381E04), UINT32_C(0xF8190FD1), ++ UINT32_C(0x3780BF33), UINT32_C(0xDD03E854), UINT32_C(0x45397418), ++ UINT32_C(0x4E51E491), UINT32_C(0xA95D030F), UINT32_C(0xE3286CEA), ++ UINT32_C(0x87C8C686), UINT32_C(0x900B5F83), UINT32_C(0x01C773BF) } }, ++ { { UINT32_C(0x78673B02), UINT32_C(0xDABE3475), UINT32_C(0xF6E7395E), ++ UINT32_C(0x4F0F25CE), UINT32_C(0xD181AD45), UINT32_C(0x3117ABB9), ++ UINT32_C(0xAA13DE0B), UINT32_C(0x4B559F88), UINT32_C(0xEA7C9745), ++ UINT32_C(0xFD8EFE78), UINT32_C(0x5DD21682), UINT32_C(0x08060047) }, ++ { UINT32_C(0xD4C86FFC), UINT32_C(0xC0F5DE4B), UINT32_C(0xF21AB6A2), ++ UINT32_C(0x4BB14B1E), UINT32_C(0xF50C1D12), UINT32_C(0xACB53A6C), ++ UINT32_C(0x5CC9162E), UINT32_C(0x46AAC450), UINT32_C(0x2DE240B6), ++ UINT32_C(0x049C51E0), UINT32_C(0xE383C3B0), UINT32_C(0xBB2DC016) } }, ++ { { UINT32_C(0x8E438C92), UINT32_C(0xA3C56AD2), UINT32_C(0xB2CEAF1A), ++ UINT32_C(0x7C43F98F), UINT32_C(0xE2150778), UINT32_C(0x397C44F7), ++ UINT32_C(0x71A24131), UINT32_C(0x48D17AB7), UINT32_C(0x1E2ACDA9), ++ UINT32_C(0xCC513863), UINT32_C(0xF0C9BAC9), UINT32_C(0x2C76A55E) }, ++ { UINT32_C(0x7EA4BB7B), UINT32_C(0x4D74CDCE), UINT32_C(0xB1B3C2BA), ++ UINT32_C(0x834BD5BF), UINT32_C(0xCCC310A4), UINT32_C(0x46E2911E), ++ UINT32_C(0x0FC1BF13), UINT32_C(0xD3DE84AA), UINT32_C(0x80A03AD3), ++ UINT32_C(0x27F2892F), UINT32_C(0x3BD2F08B), UINT32_C(0x85B47620) } }, ++ { { UINT32_C(0x567AF533), UINT32_C(0xAB1CB818), UINT32_C(0xBAC2705A), ++ UINT32_C(0x273B4537), UINT32_C(0x22C84AB6), UINT32_C(0x133066C4), ++ UINT32_C(0x4830BFC1), UINT32_C(0xC3590DE6), UINT32_C(0x5E4742D0), ++ UINT32_C(0xEA297869), UINT32_C(0x4F3164C0), UINT32_C(0xF6D8C694) }, ++ { UINT32_C(0xC1249588), UINT32_C(0x09E85F3D), UINT32_C(0x4EC64DF7), ++ UINT32_C(0x6C2BB05D), UINT32_C(0x8B78000F), UINT32_C(0xD267115E), ++ UINT32_C(0xC7E4A316), UINT32_C(0x07C5D7AE), UINT32_C(0x4619E5BD), ++ UINT32_C(0xCB1187BA), UINT32_C(0xA43F7EEE), UINT32_C(0x57B1D4EF) } }, ++ { { UINT32_C(0xC8176A96), UINT32_C(0x3618891F), UINT32_C(0xE5808B97), ++ UINT32_C(0x62C4B084), UINT32_C(0x4DD95D6E), UINT32_C(0xDE558546), ++ UINT32_C(0x730B2EA4), UINT32_C(0x27A8133E), UINT32_C(0x6AF318A0), ++ UINT32_C(0xE07CEEC3), UINT32_C(0xCE24FD2C), UINT32_C(0x0ACC1286) }, ++ { UINT32_C(0xDD4D307C), UINT32_C(0x8A48FE4A), UINT32_C(0x18CDE0DA), ++ UINT32_C(0x71A9BA9C), UINT32_C(0xD5D79747), UINT32_C(0x655E2B66), ++ UINT32_C(0xA79AEDC7), UINT32_C(0x409FE856), UINT32_C(0xD287E5CF), ++ UINT32_C(0xC5A9F244), UINT32_C(0x4E82EC39), UINT32_C(0xCCE10384) } }, ++ { { UINT32_C(0xF25D364C), UINT32_C(0x00675BA7), UINT32_C(0x68D36BDF), ++ UINT32_C(0x7A7F1629), UINT32_C(0xA9E23F29), UINT32_C(0x35EC468A), ++ UINT32_C(0x2D926E6C), UINT32_C(0xF797AC50), UINT32_C(0x4B4F4376), ++ UINT32_C(0x639BA453), UINT32_C(0x51FF9519), UINT32_C(0xD71B430F) }, ++ { UINT32_C(0x2CF5635C), UINT32_C(0xB8C439EC), UINT32_C(0x81980393), ++ UINT32_C(0x0CE4C8D1), UINT32_C(0x64123B15), UINT32_C(0x4C5362A9), ++ UINT32_C(0xFFDCF096), UINT32_C(0x6E0421E0), UINT32_C(0x10D1F914), ++ UINT32_C(0x624A855F), UINT32_C(0x614DCD29), UINT32_C(0x7D8F3AB7) } }, ++ { { UINT32_C(0xB3493CE0), UINT32_C(0xD9219ADA), UINT32_C(0x52F09AE5), ++ UINT32_C(0x971B243A), UINT32_C(0xE24E3674), UINT32_C(0xC16C9BF8), ++ UINT32_C(0xCE68C7CD), UINT32_C(0x026D408D), UINT32_C(0x358209E3), ++ UINT32_C(0xF9B33DD9), UINT32_C(0xF3B2A206), UINT32_C(0x02D0595D) }, ++ { UINT32_C(0x60D15640), UINT32_C(0xBF994271), UINT32_C(0x15B5466A), ++ UINT32_C(0x6DA7A04E), UINT32_C(0x1CADB50D), UINT32_C(0x03AA4ED8), ++ UINT32_C(0x129A4253), UINT32_C(0x1548F029), UINT32_C(0xB842865A), ++ UINT32_C(0x41741F7E), UINT32_C(0xA3F88C98), UINT32_C(0x859FE0A4) } }, ++ { { UINT32_C(0x05FD7553), UINT32_C(0x80DE085A), UINT32_C(0xB897566B), ++ UINT32_C(0x4A4AB91E), UINT32_C(0x2F1C173F), UINT32_C(0x33BCD475), ++ UINT32_C(0xC100C013), UINT32_C(0x4E238896), UINT32_C(0xD614B34B), ++ UINT32_C(0x1C88500D), UINT32_C(0xC3BA9E23), UINT32_C(0x0401C5F6) }, ++ { UINT32_C(0xD0AF0DE5), UINT32_C(0x8E8003C4), UINT32_C(0x9D0DCBB9), ++ UINT32_C(0x19B1DFB5), UINT32_C(0xEBEF7AB6), UINT32_C(0x4A3640A9), ++ UINT32_C(0x959B15F6), UINT32_C(0xEDAFD65B), UINT32_C(0x7FB95821), ++ UINT32_C(0x8092EF7F), UINT32_C(0xCE2E45D1), UINT32_C(0xAB8DD52E) } }, ++ { { UINT32_C(0xB9CFE6BF), UINT32_C(0xD1F2D6B8), UINT32_C(0x00073F6F), ++ UINT32_C(0x6358810B), UINT32_C(0xD712106E), UINT32_C(0x5FCE5993), ++ UINT32_C(0x1C024C91), UINT32_C(0x5EE6B271), UINT32_C(0x453DB663), ++ UINT32_C(0xD0248FF5), UINT32_C(0xADB835E8), UINT32_C(0xD6D81CB2) }, ++ { UINT32_C(0xFDFCB4C7), UINT32_C(0x8696CFEC), UINT32_C(0x53BC9045), ++ UINT32_C(0x696B7FCB), UINT32_C(0xDDA56981), UINT32_C(0xAB4D3807), ++ UINT32_C(0x1E4B943B), UINT32_C(0x2F998052), UINT32_C(0x166B7F18), ++ UINT32_C(0x8AA76ADB), UINT32_C(0x52A2D7ED), UINT32_C(0x63934301) } }, ++ }, ++ { ++ { { UINT32_C(0xA368EFF6), UINT32_C(0xBBCCCE39), UINT32_C(0x8CEB5C43), ++ UINT32_C(0xD8CAABDF), UINT32_C(0xD2252FDA), UINT32_C(0x9EAE35A5), ++ UINT32_C(0x54E7DD49), UINT32_C(0xA8F4F209), UINT32_C(0x295100FD), ++ UINT32_C(0xA56D72A6), UINT32_C(0x56767727), UINT32_C(0x20FC1FE8) }, ++ { UINT32_C(0x0BBAA5AB), UINT32_C(0xBF60B248), UINT32_C(0x313911F2), ++ UINT32_C(0xA4F3CE5A), UINT32_C(0xB93DAB9C), UINT32_C(0xC2A67AD4), ++ UINT32_C(0x22D71F39), UINT32_C(0x18CD0ED0), UINT32_C(0x5F304DB2), ++ UINT32_C(0x04380C42), UINT32_C(0x6729C821), UINT32_C(0x26420CBB) } }, ++ { { UINT32_C(0xBDFBCAE8), UINT32_C(0x26BD07D6), UINT32_C(0xDF01A80A), ++ UINT32_C(0x10B5173F), UINT32_C(0x6798B96C), UINT32_C(0xD831C546), ++ UINT32_C(0x1D3F3859), UINT32_C(0x1D6B4108), UINT32_C(0x991B9EC7), ++ UINT32_C(0x501D38EC), UINT32_C(0xD78431A9), UINT32_C(0x26319283) }, ++ { UINT32_C(0x118B343C), UINT32_C(0x8B85BAF7), UINT32_C(0x58DEF7D0), ++ UINT32_C(0x4696CDDD), UINT32_C(0x7ACDCF58), UINT32_C(0xEFC7C110), ++ UINT32_C(0x848D5842), UINT32_C(0xD9AF415C), UINT32_C(0x0AC7FDAC), ++ UINT32_C(0x6B5A06BC), UINT32_C(0xA344319B), UINT32_C(0x7D623E0D) } }, ++ { { UINT32_C(0x0C9D3547), UINT32_C(0x4C0D7806), UINT32_C(0xCF2AED47), ++ UINT32_C(0x993F048D), UINT32_C(0xE4B57E22), UINT32_C(0x5217C453), ++ UINT32_C(0xF4172B28), UINT32_C(0xB4669E35), UINT32_C(0x49F999F8), ++ UINT32_C(0x509A3CD0), UINT32_C(0x87C69D41), UINT32_C(0xD19F8632) }, ++ { UINT32_C(0x4C8FDED0), UINT32_C(0xE14D01E8), UINT32_C(0xEAFD9E1C), ++ UINT32_C(0x342880FD), UINT32_C(0x70DC2BF0), UINT32_C(0x0E17BFF2), ++ UINT32_C(0xC0186400), UINT32_C(0x46560B7B), UINT32_C(0x49A4DD34), ++ UINT32_C(0xE28C7B9C), UINT32_C(0x0F325D06), UINT32_C(0x18211916) } }, ++ { { UINT32_C(0xD7E02E18), UINT32_C(0x46D70888), UINT32_C(0xD9F11FD9), ++ UINT32_C(0x7C806954), UINT32_C(0x4FBEA271), UINT32_C(0xE4948FCA), ++ UINT32_C(0xBD80A9DF), UINT32_C(0x7D6C7765), UINT32_C(0xF3871C71), ++ UINT32_C(0x1B470EA6), UINT32_C(0x8330A570), UINT32_C(0xD62DE244) }, ++ { UINT32_C(0xC659C3A7), UINT32_C(0xDAECDDC1), UINT32_C(0x077F7AFC), ++ UINT32_C(0x8621E513), UINT32_C(0xCAEEEF13), UINT32_C(0x56C7CD84), ++ UINT32_C(0xC685A356), UINT32_C(0xC60C910F), UINT32_C(0x9DD93DDC), ++ UINT32_C(0xE68BC5C5), UINT32_C(0xFEB64895), UINT32_C(0xD904E89F) } }, ++ { { UINT32_C(0x8BA7917A), UINT32_C(0x75D874FB), UINT32_C(0xFD043BD4), ++ UINT32_C(0x18FA7F53), UINT32_C(0x1FC3979E), UINT32_C(0x212A0AD7), ++ UINT32_C(0x5D6EAC0E), UINT32_C(0x5703A7D9), UINT32_C(0x017DEAD5), ++ UINT32_C(0x222F7188), UINT32_C(0x0F6C1817), UINT32_C(0x1EC687B7) }, ++ { UINT32_C(0x238BACB6), UINT32_C(0x23412FC3), UINT32_C(0x54CED154), ++ UINT32_C(0xB85D70E9), UINT32_C(0xBDA674D0), UINT32_C(0xD4E06722), ++ UINT32_C(0x36F5A0C2), UINT32_C(0x3EA5F178), UINT32_C(0xF5C6D2CA), ++ UINT32_C(0x7E7D79CF), UINT32_C(0x3DBB3C73), UINT32_C(0x1FFF9464) } }, ++ { { UINT32_C(0xF163E4A8), UINT32_C(0x916E19D0), UINT32_C(0x1489DF17), ++ UINT32_C(0x1E6740E7), UINT32_C(0x339F3A47), UINT32_C(0x1EAF9723), ++ UINT32_C(0x124B8DAD), UINT32_C(0x22F0ED1A), UINT32_C(0x49C3DD04), ++ UINT32_C(0x39C9166C), UINT32_C(0xCE1E9ACC), UINT32_C(0x628E7FD4) }, ++ { UINT32_C(0x40031676), UINT32_C(0x124DDF27), UINT32_C(0x1EDDB9BE), ++ UINT32_C(0x00256939), UINT32_C(0xD360B0DA), UINT32_C(0xD39E25E7), ++ UINT32_C(0x4AA6C4C9), UINT32_C(0x6E3015A8), UINT32_C(0x623EDA09), ++ UINT32_C(0xC6A2F643), UINT32_C(0x50AA99FB), UINT32_C(0xBEFF2D12) } }, ++ { { UINT32_C(0x93EE8089), UINT32_C(0x1FEEF7CE), UINT32_C(0x252DD7BD), ++ UINT32_C(0xC6B180BC), UINT32_C(0x1788F051), UINT32_C(0xA16FB20B), ++ UINT32_C(0xE046ED39), UINT32_C(0xD86FD392), UINT32_C(0x9378CE1D), ++ UINT32_C(0xDA0A3611), UINT32_C(0xA5F7A61D), UINT32_C(0x121EF3E7) }, ++ { UINT32_C(0x92D13CAE), UINT32_C(0x94D22061), UINT32_C(0x77C72E08), ++ UINT32_C(0x5076046A), UINT32_C(0x7D2308B9), UINT32_C(0xF18BC233), ++ UINT32_C(0x17F977B1), UINT32_C(0x004DB3C5), UINT32_C(0x0471C11D), ++ UINT32_C(0xD05AE399), UINT32_C(0x85CD1726), UINT32_C(0x86A2A557) } }, ++ { { UINT32_C(0x72107804), UINT32_C(0xB8D9B286), UINT32_C(0x3303B79B), ++ UINT32_C(0xB5A7C413), UINT32_C(0x5FA37DED), UINT32_C(0x927EEF78), ++ UINT32_C(0xAD67DABA), UINT32_C(0xA1C5CF1E), UINT32_C(0x7360E7C7), ++ UINT32_C(0xAA5E3FB2), UINT32_C(0x0A0C0993), UINT32_C(0x8354E61A) }, ++ { UINT32_C(0x7F5458CC), UINT32_C(0x2EC73AF9), UINT32_C(0x48474325), ++ UINT32_C(0xDE4CB488), UINT32_C(0x7209BC69), UINT32_C(0x2DD134C7), ++ UINT32_C(0x451A2ABE), UINT32_C(0xB70C5567), UINT32_C(0x8E293018), ++ UINT32_C(0x2CD1B200), UINT32_C(0xD33C0D72), UINT32_C(0x15F8DA7A) } }, ++ { { UINT32_C(0xA8790657), UINT32_C(0x5DC386D0), UINT32_C(0xBC4D88BB), ++ UINT32_C(0xA4FDF676), UINT32_C(0x48BC6C49), UINT32_C(0x1B21F38F), ++ UINT32_C(0x543A7003), UINT32_C(0xCDCC7FAA), UINT32_C(0x8C9CF72C), ++ UINT32_C(0xEA97E7AA), UINT32_C(0x50D938A8), UINT32_C(0xA6B883F4) }, ++ { UINT32_C(0xA3A10F27), UINT32_C(0x51936F3A), UINT32_C(0xDECC76BF), ++ UINT32_C(0x0170785F), UINT32_C(0x908C578A), UINT32_C(0x7539ECE1), ++ UINT32_C(0x0F3E8C25), UINT32_C(0x5D9C8A8E), UINT32_C(0x9E4717A7), ++ UINT32_C(0x8681B43B), UINT32_C(0xA9D83E39), UINT32_C(0x94F42507) } }, ++ { { UINT32_C(0xA55ADDE7), UINT32_C(0xBBE11CA8), UINT32_C(0x3BC0896B), ++ UINT32_C(0x39E6F5CF), UINT32_C(0x1D2D8D94), UINT32_C(0x1447314E), ++ UINT32_C(0x5B012F8A), UINT32_C(0x45B48125), UINT32_C(0x08AD5283), ++ UINT32_C(0x41AD23FA), UINT32_C(0x41D13774), UINT32_C(0x837243E2) }, ++ { UINT32_C(0xBADCAA46), UINT32_C(0x1FC0BD9D), UINT32_C(0x26E84CAE), ++ UINT32_C(0x8DF164ED), UINT32_C(0x41017176), UINT32_C(0x8FF70EC0), ++ UINT32_C(0x5C848BA7), UINT32_C(0x23AD4BCE), UINT32_C(0x97A19CBB), ++ UINT32_C(0x89246FDE), UINT32_C(0x78397991), UINT32_C(0xA5EF987B) } }, ++ { { UINT32_C(0x4757964D), UINT32_C(0x111AF1B7), UINT32_C(0xDDBBF258), ++ UINT32_C(0x1D25D351), UINT32_C(0x7D2B06D6), UINT32_C(0x4161E776), ++ UINT32_C(0x1CAC0C5B), UINT32_C(0x6EFD2691), UINT32_C(0x211BFAEB), ++ UINT32_C(0x633B95DB), UINT32_C(0xE2BDF701), UINT32_C(0x9BEDFA5A) }, ++ { UINT32_C(0x73E099C8), UINT32_C(0xADAC2B0B), UINT32_C(0xBFB16BFF), ++ UINT32_C(0x436F0023), UINT32_C(0x30F55854), UINT32_C(0xB91B1002), ++ UINT32_C(0xF4C6C8B7), UINT32_C(0xAF6A2097), UINT32_C(0x3AD7B3D9), ++ UINT32_C(0x3FF65CED), UINT32_C(0x330E56DF), UINT32_C(0x6FA2626F) } }, ++ { { UINT32_C(0xFFCCFD07), UINT32_C(0x3D28BF2D), UINT32_C(0xD989603B), ++ UINT32_C(0x0514F6FF), UINT32_C(0x5514787A), UINT32_C(0xB9519629), ++ UINT32_C(0xC3DB4E9C), UINT32_C(0xA1848121), UINT32_C(0x2A3D4595), ++ UINT32_C(0x47FE2E39), UINT32_C(0x11B73ED4), UINT32_C(0x506F5D82) }, ++ { UINT32_C(0xA600D8BB), UINT32_C(0xA2257AE7), UINT32_C(0x0F9F122C), ++ UINT32_C(0xD659DBD1), UINT32_C(0x64DF160F), UINT32_C(0xDB0FDC67), ++ UINT32_C(0x7CB19690), UINT32_C(0xFF379339), UINT32_C(0x98E72EC1), ++ UINT32_C(0xDF4366B8), UINT32_C(0xDF437EB8), UINT32_C(0x97E72BEC) } }, ++ { { UINT32_C(0x1C81E5D9), UINT32_C(0x81DCEA27), UINT32_C(0x6717FC49), ++ UINT32_C(0x7E1B6CDA), UINT32_C(0x11EAE80D), UINT32_C(0xAA36B3B5), ++ UINT32_C(0x3CD7CBB3), UINT32_C(0x1306687C), UINT32_C(0xC4E89064), ++ UINT32_C(0xED670235), UINT32_C(0x58A94760), UINT32_C(0x9D3B0009) }, ++ { UINT32_C(0xE6A6333C), UINT32_C(0x5A64E158), UINT32_C(0x49453203), ++ UINT32_C(0x1A8B4A36), UINT32_C(0x1F77CC21), UINT32_C(0xF1CAD724), ++ UINT32_C(0x70518EF7), UINT32_C(0x693EBB4B), UINT32_C(0x0F39C91A), ++ UINT32_C(0xFB47BD81), UINT32_C(0xFA4BC64B), UINT32_C(0xCFE63DA2) } }, ++ { { UINT32_C(0xEAA66108), UINT32_C(0x82C1C684), UINT32_C(0x4CFE79FC), ++ UINT32_C(0xE3226218), UINT32_C(0x849C720E), UINT32_C(0x3F28B72B), ++ UINT32_C(0x8FEE1CA8), UINT32_C(0x137FB355), UINT32_C(0xE4F90C4E), ++ UINT32_C(0x4D18A9CD), UINT32_C(0xCC3E46FA), UINT32_C(0xC0344227) }, ++ { UINT32_C(0x79CDA392), UINT32_C(0x4FD5C08E), UINT32_C(0x8ADC87B5), ++ UINT32_C(0x65DB20DB), UINT32_C(0x916C1B84), UINT32_C(0x86F95D5B), ++ UINT32_C(0x17BB2B7C), UINT32_C(0x7EDA3871), UINT32_C(0x669A533B), ++ UINT32_C(0x18CCF7E7), UINT32_C(0xECAD0E06), UINT32_C(0x5E92421C) } }, ++ { { UINT32_C(0x4174B08B), UINT32_C(0x26063E12), UINT32_C(0x70DE8E4D), ++ UINT32_C(0xE621D9BE), UINT32_C(0x5ECDF350), UINT32_C(0xAEA0FD0F), ++ UINT32_C(0x9C20E5C9), UINT32_C(0x0D9F69E4), UINT32_C(0x0BBE2918), ++ UINT32_C(0xD3DADEB9), UINT32_C(0x58AA2F71), UINT32_C(0xD7B9B5DB) }, ++ { UINT32_C(0x3364CAF8), UINT32_C(0x7A971DD7), UINT32_C(0xC25D4BE4), ++ UINT32_C(0x702616A3), UINT32_C(0xA9E30071), UINT32_C(0xA30F0FA1), ++ UINT32_C(0x5573BC69), UINT32_C(0x98AB2438), UINT32_C(0x6FEC2E22), ++ UINT32_C(0xCBC63CDF), UINT32_C(0xCC901B9B), UINT32_C(0x965F90ED) } }, ++ { { UINT32_C(0x71E15BB3), UINT32_C(0xD53B592D), UINT32_C(0x8820E0D0), ++ UINT32_C(0x1F03C0E9), UINT32_C(0x3CCCB726), UINT32_C(0xCE93947D), ++ UINT32_C(0x1D547590), UINT32_C(0x2790FEE0), UINT32_C(0xC59CDD7A), ++ UINT32_C(0x4401D847), UINT32_C(0xA926DD9D), UINT32_C(0x72D69120) }, ++ { UINT32_C(0x4229F289), UINT32_C(0x38B8F21D), UINT32_C(0x7FE978AF), ++ UINT32_C(0x9F412E40), UINT32_C(0xCDB59AF1), UINT32_C(0xAE07901B), ++ UINT32_C(0xD1D4715E), UINT32_C(0x1E6BE5EB), UINT32_C(0x18C96BEF), ++ UINT32_C(0x3715BD8B), UINT32_C(0xE11B3798), UINT32_C(0x4B71F6E6) } }, ++ }, ++ { ++ { { UINT32_C(0xF0CE2DF4), UINT32_C(0x11A8FDE5), UINT32_C(0xFA8D26DF), ++ UINT32_C(0xBC70CA3E), UINT32_C(0xC74DFE82), UINT32_C(0x6818C275), ++ UINT32_C(0x38373A50), UINT32_C(0x2B0294AC), UINT32_C(0xE8E5F88F), ++ UINT32_C(0x584C4061), UINT32_C(0x7342383A), UINT32_C(0x1C05C1CA) }, ++ { UINT32_C(0x911430EC), UINT32_C(0x263895B3), UINT32_C(0xA5171453), ++ UINT32_C(0xEF9B0032), UINT32_C(0x84DA7F0C), UINT32_C(0x144359DA), ++ UINT32_C(0x924A09F2), UINT32_C(0x76E3095A), UINT32_C(0xD69AD835), ++ UINT32_C(0x612986E3), UINT32_C(0x392122AF), UINT32_C(0x70E03ADA) } }, ++ { { UINT32_C(0x67AAD17B), UINT32_C(0xFEB707EE), UINT32_C(0x83042995), ++ UINT32_C(0xBB21B287), UINT32_C(0x9A0D32BA), UINT32_C(0x26DE1645), ++ UINT32_C(0x1FFB9266), UINT32_C(0x9A2FF38A), UINT32_C(0x8F578B4A), ++ UINT32_C(0x4E5AD96D), UINT32_C(0x883E7443), UINT32_C(0x26CC0655) }, ++ { UINT32_C(0x2EE9367A), UINT32_C(0x1D8EECAB), UINT32_C(0x881DE2F8), ++ UINT32_C(0x42B84337), UINT32_C(0xD758AE41), UINT32_C(0xE49B2FAE), ++ UINT32_C(0x4A85D867), UINT32_C(0x6A9A2290), UINT32_C(0xE68CBA86), ++ UINT32_C(0x2FB89DCE), UINT32_C(0x7F09A982), UINT32_C(0xBC252635) } }, ++ { { UINT32_C(0x8C61AAAC), UINT32_C(0xADC79436), UINT32_C(0x5E926563), ++ UINT32_C(0x24C7FD13), UINT32_C(0x0406C129), UINT32_C(0xEF9FAAA4), ++ UINT32_C(0x8B658D3C), UINT32_C(0xF4E6388C), UINT32_C(0x1E435BAF), ++ UINT32_C(0x7262BEB4), UINT32_C(0xFDAEAC99), UINT32_C(0x3BF622CC) }, ++ { UINT32_C(0x4E1AEDDC), UINT32_C(0xD359F7D8), UINT32_C(0xD78C17B7), ++ UINT32_C(0x05DC4F8C), UINT32_C(0x29498BA5), UINT32_C(0xB18CF032), ++ UINT32_C(0x85BF35AD), UINT32_C(0xC67388CA), UINT32_C(0x62AA4BC8), ++ UINT32_C(0x8A7A6AA2), UINT32_C(0x72F4627A), UINT32_C(0x0B8F458E) } }, ++ { { UINT32_C(0xC68E4488), UINT32_C(0x3FB812EE), UINT32_C(0x60EF7281), ++ UINT32_C(0x53C5EAA4), UINT32_C(0x8FBEFBE4), UINT32_C(0xE5724183), ++ UINT32_C(0xA4B24A05), UINT32_C(0x2B7D49F4), UINT32_C(0x710C0A43), ++ UINT32_C(0x23B138D0), UINT32_C(0xA85EC1DB), UINT32_C(0x16A5B4C1) }, ++ { UINT32_C(0x305FEB02), UINT32_C(0x7CC1F3D7), UINT32_C(0x5B6C1B54), ++ UINT32_C(0x52F7947D), UINT32_C(0x8F56981C), UINT32_C(0x1BDA2312), ++ UINT32_C(0xB4080A01), UINT32_C(0x68663EAE), UINT32_C(0x9F999B7F), ++ UINT32_C(0x8DD7BA7E), UINT32_C(0xB686580C), UINT32_C(0xD8768D19) } }, ++ { { UINT32_C(0x7AFDDA94), UINT32_C(0xBCD0E0AD), UINT32_C(0x34A30687), ++ UINT32_C(0x95A0DBBE), UINT32_C(0x8C5E2665), UINT32_C(0xBBE3C3DF), ++ UINT32_C(0xEBF2BC16), UINT32_C(0x742BECD8), UINT32_C(0x3FA163A6), ++ UINT32_C(0x300CEB48), UINT32_C(0x4663354B), UINT32_C(0x0C5D02EE) }, ++ { UINT32_C(0xB5E606A4), UINT32_C(0xE4FB9AD6), UINT32_C(0xCF49FF95), ++ UINT32_C(0x93F507B8), UINT32_C(0x585C193B), UINT32_C(0x9406A90C), ++ UINT32_C(0x4ECF9517), UINT32_C(0xAD1440C1), UINT32_C(0x9CEA53F1), ++ UINT32_C(0x184CB475), UINT32_C(0x8EF11302), UINT32_C(0x6855C474) } }, ++ { { UINT32_C(0xEDCAFA52), UINT32_C(0x00ECB523), UINT32_C(0x086F69D3), ++ UINT32_C(0x0DA0AE0E), UINT32_C(0xC242F347), UINT32_C(0xC384DE15), ++ UINT32_C(0x848C12B7), UINT32_C(0xFB050E6E), UINT32_C(0x64E015CE), ++ UINT32_C(0x22F67654), UINT32_C(0x7CA122F2), UINT32_C(0xCBDC2A48) }, ++ { UINT32_C(0x445FB02C), UINT32_C(0xA940D973), UINT32_C(0x3767D89D), ++ UINT32_C(0x00F31E78), UINT32_C(0x613DABDD), UINT32_C(0x2B65A237), ++ UINT32_C(0xC875AE09), UINT32_C(0x2BE0AB05), UINT32_C(0xBA204F8E), ++ UINT32_C(0xB22E54FD), UINT32_C(0x0F7687B9), UINT32_C(0x65E2029D) } }, ++ { { UINT32_C(0x1855A71C), UINT32_C(0xFFD82538), UINT32_C(0x438BD8D8), ++ UINT32_C(0x26A330B3), UINT32_C(0xF9D8C5F9), UINT32_C(0x89628311), ++ UINT32_C(0x953738A0), UINT32_C(0x8D5FB9CF), UINT32_C(0xEDFCD4E5), ++ UINT32_C(0xCB7159C9), UINT32_C(0x2064C7C2), UINT32_C(0xD64E5230) }, ++ { UINT32_C(0x689F3CFE), UINT32_C(0xF858ED80), UINT32_C(0x56128B67), ++ UINT32_C(0x4830E309), UINT32_C(0xE0E90688), UINT32_C(0x2E1692DA), ++ UINT32_C(0xCA9CC232), UINT32_C(0xAB818913), UINT32_C(0xA5D229A6), ++ UINT32_C(0xE2E30C23), UINT32_C(0x0E740E23), UINT32_C(0xA544E8B1) } }, ++ { { UINT32_C(0xDC61E6CC), UINT32_C(0x1C15E569), UINT32_C(0x58FC7800), ++ UINT32_C(0x8FD72967), UINT32_C(0x37A9DFC5), UINT32_C(0xE61E7DB7), ++ UINT32_C(0x5AFD7822), UINT32_C(0x3F34A9C6), UINT32_C(0x19E80773), ++ UINT32_C(0x0A112742), UINT32_C(0x4760FC58), UINT32_C(0xA353460C) }, ++ { UINT32_C(0xB3124C71), UINT32_C(0x2FB7DEEB), UINT32_C(0x2D4009CC), ++ UINT32_C(0x48463627), UINT32_C(0xC3A10370), UINT32_C(0x399D1933), ++ UINT32_C(0x54388DBD), UINT32_C(0x7EB19450), UINT32_C(0x7C2A006A), ++ UINT32_C(0x8ECCE639), UINT32_C(0x55C932A0), UINT32_C(0x3D565DAF) } }, ++ { { UINT32_C(0xD9ADAE53), UINT32_C(0xCEF57A9F), UINT32_C(0xF83FD8CD), ++ UINT32_C(0xE2EB27D7), UINT32_C(0x9BBD2DDE), UINT32_C(0x4AC8F719), ++ UINT32_C(0xE91ABFB7), UINT32_C(0x604283AA), UINT32_C(0x34799F87), ++ UINT32_C(0xB6A4E115), UINT32_C(0xE4C2A8F3), UINT32_C(0x2B253224) }, ++ { UINT32_C(0xC8782294), UINT32_C(0xC34F8B92), UINT32_C(0xFCC2CB6B), ++ UINT32_C(0xC74D697D), UINT32_C(0xC2C84C46), UINT32_C(0xD990411B), ++ UINT32_C(0x31EA4955), UINT32_C(0x2807B5C6), UINT32_C(0xB9EB27F5), ++ UINT32_C(0x14AE2B93), UINT32_C(0x6163EDFA), UINT32_C(0xF0AE96A7) } }, ++ { { UINT32_C(0x42DB7180), UINT32_C(0xA7BDCBB4), UINT32_C(0xEDCA752F), ++ UINT32_C(0xC9FAA41F), UINT32_C(0xE820F401), UINT32_C(0x147F91B4), ++ UINT32_C(0xF5F2645F), UINT32_C(0x1E6CEF86), UINT32_C(0x31FE711D), ++ UINT32_C(0xB4AB4D7F), UINT32_C(0x743EF882), UINT32_C(0xCE68FB3C) }, ++ { UINT32_C(0x3EF2FCFF), UINT32_C(0xB9D7D682), UINT32_C(0x020DCAFD), ++ UINT32_C(0xF6893811), UINT32_C(0xBF81E760), UINT32_C(0x30D9A50C), ++ UINT32_C(0xB9B87228), UINT32_C(0x7F247D06), UINT32_C(0x5F40CFC0), ++ UINT32_C(0x143D4FEC), UINT32_C(0x329B2A88), UINT32_C(0x21D78D73) } }, ++ { { UINT32_C(0xED3F2055), UINT32_C(0x06B3FF8A), UINT32_C(0x522BE214), ++ UINT32_C(0x50482C77), UINT32_C(0xDDF54620), UINT32_C(0x8DF69CD8), ++ UINT32_C(0xF78A1165), UINT32_C(0x6D1DB204), UINT32_C(0x9AFE6BF2), ++ UINT32_C(0x459AE4A2), UINT32_C(0x24AC871E), UINT32_C(0xC23A9FFD) }, ++ { UINT32_C(0x89E85D81), UINT32_C(0xB7FD22E3), UINT32_C(0x122E9978), ++ UINT32_C(0x297F1F6B), UINT32_C(0x144BE1CE), UINT32_C(0xAB283D66), ++ UINT32_C(0xC00C614E), UINT32_C(0xC1F90AC2), UINT32_C(0x3224CD09), ++ UINT32_C(0x5465576E), UINT32_C(0x441B6059), UINT32_C(0x8E8D910D) } }, ++ { { UINT32_C(0xAAA228BC), UINT32_C(0xF73A060A), UINT32_C(0x56EFF87D), ++ UINT32_C(0xCF1B0783), UINT32_C(0xA54C9133), UINT32_C(0x11EF17C0), ++ UINT32_C(0x76A4DAA5), UINT32_C(0x9E476B15), UINT32_C(0x8018FB92), ++ UINT32_C(0x5624FEAC), UINT32_C(0xCFEEC1B9), UINT32_C(0x9826A0FC) }, ++ { UINT32_C(0x2DFE2046), UINT32_C(0xB732F7FE), UINT32_C(0x3B40DA6A), ++ UINT32_C(0x9260BD9F), UINT32_C(0x4F231773), UINT32_C(0xCC9F908F), ++ UINT32_C(0xDAFC0D55), UINT32_C(0x4827FEB9), UINT32_C(0x538ACE95), ++ UINT32_C(0x07D32E85), UINT32_C(0xB8EDAF37), UINT32_C(0xAD9F897C) } }, ++ { { UINT32_C(0xE3415498), UINT32_C(0x2F75B82F), UINT32_C(0xF1015F30), ++ UINT32_C(0xF99CAC5F), UINT32_C(0x7D7F25DE), UINT32_C(0x76640824), ++ UINT32_C(0xEE74C047), UINT32_C(0x714BC9CD), UINT32_C(0x07448879), ++ UINT32_C(0x70F847BF), UINT32_C(0x072165C0), UINT32_C(0xA14481DE) }, ++ { UINT32_C(0xDB1140A8), UINT32_C(0x9BFA59E3), UINT32_C(0xFCD13502), ++ UINT32_C(0x7B9C7FF0), UINT32_C(0x68459ABF), UINT32_C(0xF4D7538E), ++ UINT32_C(0xC8FC6AD2), UINT32_C(0xED93A791), UINT32_C(0xB51BD9B2), ++ UINT32_C(0xA8BBE2A8), UINT32_C(0x9FB34008), UINT32_C(0x084B5A27) } }, ++ { { UINT32_C(0xEB138C84), UINT32_C(0xB3BB9545), UINT32_C(0x3FC88BFD), ++ UINT32_C(0x59C3489C), UINT32_C(0x85F53EC7), UINT32_C(0x3A97FF63), ++ UINT32_C(0x0AA69C3D), UINT32_C(0x40FDF5A6), UINT32_C(0x53D19668), ++ UINT32_C(0x0E8CCEC7), UINT32_C(0x33FAA661), UINT32_C(0x0AA72EF9) }, ++ { UINT32_C(0x9B1E684B), UINT32_C(0xF5C5A6CF), UINT32_C(0x31A22EA1), ++ UINT32_C(0x630F9371), UINT32_C(0xAC60F7EA), UINT32_C(0x06B2AAC2), ++ UINT32_C(0x5BC37D80), UINT32_C(0xB181CAE2), UINT32_C(0x247B13EA), ++ UINT32_C(0x4601A929), UINT32_C(0x5F739797), UINT32_C(0x8A71C386) } }, ++ { { UINT32_C(0xAB134786), UINT32_C(0x545387B3), UINT32_C(0x1599B64A), ++ UINT32_C(0x3179BB06), UINT32_C(0x07593574), UINT32_C(0xB0A61986), ++ UINT32_C(0x63FA7C3B), UINT32_C(0xC7E39B21), UINT32_C(0x91585D13), ++ UINT32_C(0xA1173F86), UINT32_C(0xCB9525CD), UINT32_C(0x09D5CC8E) }, ++ { UINT32_C(0x8F3A3451), UINT32_C(0xAAD44FFD), UINT32_C(0x25820CC5), ++ UINT32_C(0x702B04F2), UINT32_C(0x1CB66C17), UINT32_C(0xE90CAC49), ++ UINT32_C(0xEE161DC4), UINT32_C(0x40F6B547), UINT32_C(0x1BA4AC4E), ++ UINT32_C(0xC08BB8B4), UINT32_C(0xAE5A6BC1), UINT32_C(0x7DC064FB) } }, ++ { { UINT32_C(0x9D76DDC7), UINT32_C(0x90A5E871), UINT32_C(0xEDFC8E2E), ++ UINT32_C(0x39DC8FAE), UINT32_C(0x5B079C62), UINT32_C(0x98467A23), ++ UINT32_C(0x05450C98), UINT32_C(0xE25E3785), UINT32_C(0x96140083), ++ UINT32_C(0x2FE23A4D), UINT32_C(0xE9900312), UINT32_C(0x65CE3B9A) }, ++ { UINT32_C(0x6B72B5D9), UINT32_C(0x1D87D088), UINT32_C(0xFD9AFC82), ++ UINT32_C(0x72F53220), UINT32_C(0x9E1F71FA), UINT32_C(0xC63C7C15), ++ UINT32_C(0x8D449637), UINT32_C(0x90DF26EA), UINT32_C(0xC1C2B215), ++ UINT32_C(0x97089F40), UINT32_C(0x42317FAA), UINT32_C(0x83AF2664) } }, ++ }, ++ { ++ { { UINT32_C(0x8D688E31), UINT32_C(0xFA2DB51A), UINT32_C(0xA09C88D4), ++ UINT32_C(0x225B696C), UINT32_C(0x6059171F), UINT32_C(0x9F88AF1D), ++ UINT32_C(0x782A0993), UINT32_C(0x1C5FEA5E), UINT32_C(0x4EC710D3), ++ UINT32_C(0xE0FB1588), UINT32_C(0xD32CE365), UINT32_C(0xFAF372E5) }, ++ { UINT32_C(0x26506F45), UINT32_C(0xD9F896AB), UINT32_C(0x8373C724), ++ UINT32_C(0x8D350338), UINT32_C(0xCA6E7342), UINT32_C(0x1B76992D), ++ UINT32_C(0x6FD0C08B), UINT32_C(0x76338FCA), UINT32_C(0xA00F5C23), ++ UINT32_C(0xC3EA4C65), UINT32_C(0xB316B35B), UINT32_C(0xDFAB29B3) } }, ++ { { UINT32_C(0x483AEBF9), UINT32_C(0x84E5541F), UINT32_C(0x49165772), ++ UINT32_C(0x8ADFF7DC), UINT32_C(0x9BEAAD3C), UINT32_C(0xE0A43AD6), ++ UINT32_C(0xF51C2714), UINT32_C(0x97DD1820), UINT32_C(0x57EA5B0C), ++ UINT32_C(0xAC2B4CB4), UINT32_C(0xD11767CA), UINT32_C(0x87DBD011) }, ++ { UINT32_C(0xBFC7957A), UINT32_C(0x18CCF36C), UINT32_C(0x1BC79227), ++ UINT32_C(0xD4A08841), UINT32_C(0xD8D292A8), UINT32_C(0x9811CE43), ++ UINT32_C(0xD58C4EE7), UINT32_C(0x72C5FC68), UINT32_C(0xD35C65A7), ++ UINT32_C(0x5BC0F0BE), UINT32_C(0xCBBF9669), UINT32_C(0x0B446DBC) } }, ++ { { UINT32_C(0x9CEE9BCE), UINT32_C(0x7EBA3DA6), UINT32_C(0xD5377750), ++ UINT32_C(0x3E2C1248), UINT32_C(0x2B93D8B2), UINT32_C(0x8C917D98), ++ UINT32_C(0x7CAD1F75), UINT32_C(0xCA8FC6AC), UINT32_C(0xA0FF150A), ++ UINT32_C(0x5F581F19), UINT32_C(0xE08327FA), UINT32_C(0x872CC14A) }, ++ { UINT32_C(0xE9333188), UINT32_C(0xC774F187), UINT32_C(0x497AF7E8), ++ UINT32_C(0x528ED4AC), UINT32_C(0x8AD72B10), UINT32_C(0xCE036E9B), ++ UINT32_C(0x917986CF), UINT32_C(0x463F9EBB), UINT32_C(0x1325CF9B), ++ UINT32_C(0xBE516328), UINT32_C(0xDD7E5FEA), UINT32_C(0xD28D5C50) } }, ++ { { UINT32_C(0xDD58BBE3), UINT32_C(0x714C1D1B), UINT32_C(0x039AFD0F), ++ UINT32_C(0x85BA01AE), UINT32_C(0x6951AC80), UINT32_C(0x7F23EA3A), ++ UINT32_C(0xAC00C837), UINT32_C(0x5C599290), UINT32_C(0xBF24CC1B), ++ UINT32_C(0xF6EFA2B3), UINT32_C(0x1E84462B), UINT32_C(0x393D8E42) }, ++ { UINT32_C(0xF8B89453), UINT32_C(0x9BDA627D), UINT32_C(0xB23E0D1B), ++ UINT32_C(0xE66FFF2E), UINT32_C(0xC3B94EC2), UINT32_C(0xD1EE7089), ++ UINT32_C(0x3031699A), UINT32_C(0xF75DBA6E), UINT32_C(0x242B2453), ++ UINT32_C(0x8FF75F79), UINT32_C(0x289BFED4), UINT32_C(0xE721EDEB) } }, ++ { { UINT32_C(0xC1390FA8), UINT32_C(0x083215A1), UINT32_C(0x6DCE8CE0), ++ UINT32_C(0x901D686A), UINT32_C(0x837073FF), UINT32_C(0x4AB1BA62), ++ UINT32_C(0x34BEABA5), UINT32_C(0x10C287AA), UINT32_C(0x46985239), ++ UINT32_C(0xB4931AF4), UINT32_C(0xB053C4DC), UINT32_C(0x07639899) }, ++ { UINT32_C(0xE721EECD), UINT32_C(0x29E7F44D), UINT32_C(0x57B3FF48), ++ UINT32_C(0x65817182), UINT32_C(0x5054E2E0), UINT32_C(0x198542E2), ++ UINT32_C(0x84616DE8), UINT32_C(0x923C9E15), UINT32_C(0xAD465BB9), ++ UINT32_C(0x2A9C15E1), UINT32_C(0x16319245), UINT32_C(0xD8D4EFC7) } }, ++ { { UINT32_C(0x9961A674), UINT32_C(0x72DC7943), UINT32_C(0xA0E13668), ++ UINT32_C(0x839A0A52), UINT32_C(0x334945EA), UINT32_C(0xD7A53FA9), ++ UINT32_C(0xE7AA25DB), UINT32_C(0xDB21DB77), UINT32_C(0x66E96DA3), ++ UINT32_C(0xB6675A7D), UINT32_C(0xE66F33C0), UINT32_C(0x2C31C406) }, ++ { UINT32_C(0x6EC7B9CB), UINT32_C(0x45020B62), UINT32_C(0x0391F267), ++ UINT32_C(0xFF46E9CD), UINT32_C(0x0FA2F221), UINT32_C(0x7DABD744), ++ UINT32_C(0x9D4A2A3E), UINT32_C(0x9A32364B), UINT32_C(0x52D2E47A), ++ UINT32_C(0xF0F84AE8), UINT32_C(0x888F488A), UINT32_C(0xD0B872BB) } }, ++ { { UINT32_C(0xC9790EEF), UINT32_C(0x531E4CEF), UINT32_C(0x2B8D1A58), ++ UINT32_C(0xF7B5735E), UINT32_C(0xEF568511), UINT32_C(0xB8882F1E), ++ UINT32_C(0x86A86DB3), UINT32_C(0xAFB08D1C), UINT32_C(0xF54DE8C7), ++ UINT32_C(0x88CB9DF2), UINT32_C(0x9A683282), UINT32_C(0xA44234F1) }, ++ { UINT32_C(0xA6E9AB2E), UINT32_C(0xBC1B3D3A), UINT32_C(0x87FC99EE), ++ UINT32_C(0xEFA071FB), UINT32_C(0xA102DC0F), UINT32_C(0xFA3C737D), ++ UINT32_C(0xD6A0CBD2), UINT32_C(0xDF3248A6), UINT32_C(0x1ECC1BF4), ++ UINT32_C(0x6E62A4FF), UINT32_C(0xC8F1BC17), UINT32_C(0xF718F940) } }, ++ { { UINT32_C(0x4F63F026), UINT32_C(0x2C8B0AAD), UINT32_C(0x50B253CC), ++ UINT32_C(0x2AFF6238), UINT32_C(0x10C4D122), UINT32_C(0xCAB3E942), ++ UINT32_C(0x07CD2816), UINT32_C(0x52B59F04), UINT32_C(0x982C41FC), ++ UINT32_C(0x22322803), UINT32_C(0x8CF50B19), UINT32_C(0x38844E66) }, ++ { UINT32_C(0xBE3264CD), UINT32_C(0x42A959F7), UINT32_C(0x6C983524), ++ UINT32_C(0xBDDC24BD), UINT32_C(0x462B8640), UINT32_C(0xA489EB0C), ++ UINT32_C(0x98029BE7), UINT32_C(0xB7C05092), UINT32_C(0xA1ADDC64), ++ UINT32_C(0xD5546B5F), UINT32_C(0xA0C655AF), UINT32_C(0xE7CAC1FC) } }, ++ { { UINT32_C(0x47636F97), UINT32_C(0x14547198), UINT32_C(0xEBCDCCFF), ++ UINT32_C(0x6FA67481), UINT32_C(0x395D3258), UINT32_C(0xC164872F), ++ UINT32_C(0xEE6ACDBC), UINT32_C(0xB8CECAFE), UINT32_C(0xA933F180), ++ UINT32_C(0x3FBFE5F3), UINT32_C(0x898C3B1E), UINT32_C(0xEC20CAC2) }, ++ { UINT32_C(0x87DA73F9), UINT32_C(0x6A031BEE), UINT32_C(0x5C5AF46E), ++ UINT32_C(0xD1E667D1), UINT32_C(0x1DC6EEF9), UINT32_C(0xCB3DC168), ++ UINT32_C(0x33D310C0), UINT32_C(0x2DD1BD94), UINT32_C(0x9207E438), ++ UINT32_C(0x0F78D493), UINT32_C(0xA99C0E75), UINT32_C(0xC233D544) } }, ++ { { UINT32_C(0x9E2A0113), UINT32_C(0x228F19F1), UINT32_C(0x0E1A5D37), ++ UINT32_C(0x58495BE5), UINT32_C(0x38D7F364), UINT32_C(0x97E08F69), ++ UINT32_C(0x510759B0), UINT32_C(0x1EC3BA3E), UINT32_C(0xE03CD40D), ++ UINT32_C(0x3682F19A), UINT32_C(0xF9E16D68), UINT32_C(0xC87745D8) }, ++ { UINT32_C(0x09A642EA), UINT32_C(0xFD527AB5), UINT32_C(0xF9C81F27), ++ UINT32_C(0x6308EEBD), UINT32_C(0x550C5D68), UINT32_C(0xFA9F666C), ++ UINT32_C(0x584AB153), UINT32_C(0xDEBA436F), UINT32_C(0x5B63E939), ++ UINT32_C(0x1D4861D3), UINT32_C(0xC9850221), UINT32_C(0x073BED9B) } }, ++ { { UINT32_C(0x8B171246), UINT32_C(0x802BCCF0), UINT32_C(0x733B072F), ++ UINT32_C(0xFFF7D15A), UINT32_C(0x4CBFA4EF), UINT32_C(0xEA386266), ++ UINT32_C(0xD635946B), UINT32_C(0x9E5B5073), UINT32_C(0xFA81BE95), ++ UINT32_C(0x16E9A979), UINT32_C(0xB14F701F), UINT32_C(0x41E8716E) }, ++ { UINT32_C(0x101A6719), UINT32_C(0x25782E0F), UINT32_C(0xC9D66959), ++ UINT32_C(0x442C4875), UINT32_C(0x2B85D153), UINT32_C(0x52D845D9), ++ UINT32_C(0x2E831117), UINT32_C(0xFF925138), UINT32_C(0x8E02434B), ++ UINT32_C(0x01B700CC), UINT32_C(0xEC0BAE3E), UINT32_C(0xD2DB7F8E) } }, ++ { { UINT32_C(0x966A4872), UINT32_C(0x1B225300), UINT32_C(0x566F537B), ++ UINT32_C(0x40C149BE), UINT32_C(0xCB680021), UINT32_C(0x3335F4D2), ++ UINT32_C(0x778E5F5F), UINT32_C(0x773D0263), UINT32_C(0x666FA9ED), ++ UINT32_C(0x1D9B7602), UINT32_C(0x2E6200CF), UINT32_C(0x52490A10) }, ++ { UINT32_C(0x961F290B), UINT32_C(0x8434C7DD), UINT32_C(0x64456446), ++ UINT32_C(0x773AC156), UINT32_C(0x47B712BB), UINT32_C(0x5E2BB789), ++ UINT32_C(0xBE0974AD), UINT32_C(0xFD3BCBFD), UINT32_C(0x791AD5D8), ++ UINT32_C(0x71AE9351), UINT32_C(0x6F4E1400), UINT32_C(0x1EE738BA) } }, ++ { { UINT32_C(0x0BE8E26E), UINT32_C(0x2FA428AB), UINT32_C(0xBB4CF9FC), ++ UINT32_C(0xFEFF0600), UINT32_C(0xB2EA5FB0), UINT32_C(0x76F25CA9), ++ UINT32_C(0x6835C5F4), UINT32_C(0xAB7FECF0), UINT32_C(0x19D5F328), ++ UINT32_C(0x649D0772), UINT32_C(0xACBCB12E), UINT32_C(0xABE7B895) }, ++ { UINT32_C(0xD69B1EA8), UINT32_C(0xF2D1031A), UINT32_C(0xC60B0BBB), ++ UINT32_C(0x46065D5D), UINT32_C(0x85D798FF), UINT32_C(0xB0908DC1), ++ UINT32_C(0xD2C9B18A), UINT32_C(0x4E2420F0), UINT32_C(0xD30432A2), ++ UINT32_C(0x6B3A9BDD), UINT32_C(0xC9B134AD), UINT32_C(0x501C3383) } }, ++ { { UINT32_C(0x98A21284), UINT32_C(0x608F0967), UINT32_C(0x059CCEDE), ++ UINT32_C(0x5361BE86), UINT32_C(0xAFD87EF7), UINT32_C(0x3A40655C), ++ UINT32_C(0x59083AA2), UINT32_C(0x03CF3117), UINT32_C(0xB6C366D9), ++ UINT32_C(0x57DB5F61), UINT32_C(0x6DD0D232), UINT32_C(0x29DC275B) }, ++ { UINT32_C(0x8FA67501), UINT32_C(0xBDAB24DD), UINT32_C(0x65D08C37), ++ UINT32_C(0x5928F775), UINT32_C(0x645D466A), UINT32_C(0x9448A856), ++ UINT32_C(0xC0E927A5), UINT32_C(0x6E6B5E2E), UINT32_C(0xE80C6871), ++ UINT32_C(0xE884D546), UINT32_C(0x53A9A851), UINT32_C(0x10C881C9) } }, ++ { { UINT32_C(0x9B627AA5), UINT32_C(0x35505374), UINT32_C(0x7976677B), ++ UINT32_C(0xE7CA1B57), UINT32_C(0x4976CE17), UINT32_C(0x81239712), ++ UINT32_C(0x96DA31B9), UINT32_C(0x96E9080B), UINT32_C(0xCC64AA1F), ++ UINT32_C(0x458254AB), UINT32_C(0x48E674C9), UINT32_C(0xFEFF6821) }, ++ { UINT32_C(0x021F1488), UINT32_C(0x8772F37A), UINT32_C(0xAB56345C), ++ UINT32_C(0x2E274E18), UINT32_C(0x29823B76), UINT32_C(0x7C7BE61C), ++ UINT32_C(0x9EEFB39E), UINT32_C(0x275DB7B2), UINT32_C(0xBF5CBCEF), ++ UINT32_C(0x83B10ED4), UINT32_C(0x518E5183), UINT32_C(0x40D7F5B4) } }, ++ { { UINT32_C(0xF960B41B), UINT32_C(0x315CCC01), UINT32_C(0x1D99E722), ++ UINT32_C(0x90B417C9), UINT32_C(0x013463E0), UINT32_C(0x84AFAA0D), ++ UINT32_C(0x13E6D9E1), UINT32_C(0xF133C5D8), UINT32_C(0x525B7430), ++ UINT32_C(0xD95C6ADC), UINT32_C(0x7A25106A), UINT32_C(0x082C61AD) }, ++ { UINT32_C(0xBA1CE179), UINT32_C(0xABC1966D), UINT32_C(0xA5DB529A), ++ UINT32_C(0xE0578B77), UINT32_C(0xEC84107D), UINT32_C(0x10988C05), ++ UINT32_C(0x1B207F83), UINT32_C(0xFCADE5D7), UINT32_C(0xC5BA83DB), ++ UINT32_C(0x0BEB6FDB), UINT32_C(0x57537E34), UINT32_C(0x1C39B86D) } }, ++ }, ++ { ++ { { UINT32_C(0x2A7AECED), UINT32_C(0x5B0B5D69), UINT32_C(0x01DC545F), ++ UINT32_C(0x4C03450C), UINT32_C(0x404A3458), UINT32_C(0x72AD0A4A), ++ UINT32_C(0x9F467B60), UINT32_C(0x1DE8E255), UINT32_C(0x90634809), ++ UINT32_C(0xA4B35705), UINT32_C(0x706F0178), UINT32_C(0x76F30205) }, ++ { UINT32_C(0x4454F0E5), UINT32_C(0x588D21AB), UINT32_C(0x64134928), ++ UINT32_C(0xD22DF549), UINT32_C(0x241BCD90), UINT32_C(0xF4E7E73D), ++ UINT32_C(0x2FACC7CC), UINT32_C(0xB8D8A1D2), UINT32_C(0x1D25D2A0), ++ UINT32_C(0x483C35A7), UINT32_C(0x1EF9F608), UINT32_C(0x7F8D2545) } }, ++ { { UINT32_C(0x54EBC926), UINT32_C(0xCB51F039), UINT32_C(0xB8D4A7BB), ++ UINT32_C(0xE235D356), UINT32_C(0xB41FE1A6), UINT32_C(0x93C8FAFA), ++ UINT32_C(0xA719F254), UINT32_C(0x6297701D), UINT32_C(0x644F5CDE), ++ UINT32_C(0x6E9165BC), UINT32_C(0x0C11C542), UINT32_C(0x6506329D) }, ++ { UINT32_C(0xA92B4250), UINT32_C(0xA2564809), UINT32_C(0x889C2E3E), ++ UINT32_C(0x0E9AC173), UINT32_C(0x22B1D1BE), UINT32_C(0x286A5926), ++ UINT32_C(0x6ECDD041), UINT32_C(0x86A3D752), UINT32_C(0x649F9524), ++ UINT32_C(0x4B867E0A), UINT32_C(0x0629CB0F), UINT32_C(0x1FE7D95A) } }, ++ { { UINT32_C(0xCA5BAF54), UINT32_C(0xF4F66843), UINT32_C(0xEFE7DB78), ++ UINT32_C(0x298DB357), UINT32_C(0x7365712F), UINT32_C(0xF607E86E), ++ UINT32_C(0x8A822BC0), UINT32_C(0xD5882298), UINT32_C(0xC61299B3), ++ UINT32_C(0x2CFBD63A), UINT32_C(0x67167B1A), UINT32_C(0x6F713D9B) }, ++ { UINT32_C(0xDE0B077A), UINT32_C(0x750F673F), UINT32_C(0xEE2178DA), ++ UINT32_C(0x07482708), UINT32_C(0x69123C75), UINT32_C(0x5E6D5BD1), ++ UINT32_C(0xEAB99B37), UINT32_C(0x6A93D1B6), UINT32_C(0x8CAEC6A3), ++ UINT32_C(0x6EF4F7E6), UINT32_C(0xCF3ED818), UINT32_C(0x7BE411D6) } }, ++ { { UINT32_C(0x63A0A7D2), UINT32_C(0xF92B3073), UINT32_C(0x881DC8CF), ++ UINT32_C(0x32DA431C), UINT32_C(0xC578E3A3), UINT32_C(0xE51BD5ED), ++ UINT32_C(0x9587FA22), UINT32_C(0xEFDA70D2), UINT32_C(0x9B2EBA85), ++ UINT32_C(0xCFEC1708), UINT32_C(0xAF7BA530), UINT32_C(0x6AB51A4B) }, ++ { UINT32_C(0x98174812), UINT32_C(0x5AC155AE), UINT32_C(0xCCB076E3), ++ UINT32_C(0xCAF07A71), UINT32_C(0xC38718A7), UINT32_C(0x280E86C2), ++ UINT32_C(0xD63745B7), UINT32_C(0x9D12DE73), UINT32_C(0xBF8A79AA), ++ UINT32_C(0x0E8EA855), UINT32_C(0xBD705BF7), UINT32_C(0x5EB2BED8) } }, ++ { { UINT32_C(0xAE16DE53), UINT32_C(0x33FE9578), UINT32_C(0x10BEC902), ++ UINT32_C(0x3AE85EB5), UINT32_C(0x44AF850E), UINT32_C(0xC4F49658), ++ UINT32_C(0x087DD658), UINT32_C(0x6EA222B3), UINT32_C(0xA51F1447), ++ UINT32_C(0xB255E6FD), UINT32_C(0x117E3F48), UINT32_C(0xB35E4997) }, ++ { UINT32_C(0x05616CA1), UINT32_C(0x562E813B), UINT32_C(0x8A61E156), ++ UINT32_C(0xDF5925D6), UINT32_C(0x571C728B), UINT32_C(0xB2FA8125), ++ UINT32_C(0xA2F2D1CF), UINT32_C(0x00864805), UINT32_C(0x1BCCB6FF), ++ UINT32_C(0x2DC26F41), UINT32_C(0x63AE37DD), UINT32_C(0xEBD5E093) } }, ++ { { UINT32_C(0x0A285611), UINT32_C(0xD2D68BB3), UINT32_C(0xDC8378F2), ++ UINT32_C(0x3EAE7596), UINT32_C(0x6CC688A3), UINT32_C(0x2DC6CCC6), ++ UINT32_C(0x011F5DFB), UINT32_C(0xC45E5713), UINT32_C(0x62D34487), ++ UINT32_C(0x6B9C4F6C), UINT32_C(0x1FC65551), UINT32_C(0xFAD6F077) }, ++ { UINT32_C(0x62B23B52), UINT32_C(0x5E3266E0), UINT32_C(0xE98F4715), ++ UINT32_C(0xF1DAF319), UINT32_C(0x3ED0AE83), UINT32_C(0x064D12EA), ++ UINT32_C(0x564125CB), UINT32_C(0x5CCF9326), UINT32_C(0xC63C1E9F), ++ UINT32_C(0x09057022), UINT32_C(0xDC9B5D2E), UINT32_C(0x7171972C) } }, ++ { { UINT32_C(0xEABD21B2), UINT32_C(0x2364FD9A), UINT32_C(0x9174AD6D), ++ UINT32_C(0x3CE5F4BB), UINT32_C(0xB38688C0), UINT32_C(0xA4D6D5D0), ++ UINT32_C(0x6D87FD7D), UINT32_C(0x2292A2D2), UINT32_C(0x4CA02E54), ++ UINT32_C(0x2A7D1B53), UINT32_C(0xB4185715), UINT32_C(0x7BEE6E7E) }, ++ { UINT32_C(0x8FC63ACD), UINT32_C(0x73E54609), UINT32_C(0x4064E09D), ++ UINT32_C(0xF4D93A12), UINT32_C(0x2B92DAA5), UINT32_C(0xD20E157A), ++ UINT32_C(0xC4B81A00), UINT32_C(0x90D125DB), UINT32_C(0x7682DE13), ++ UINT32_C(0xCB951C9E), UINT32_C(0x27987545), UINT32_C(0x1ABE58F4) } }, ++ { { UINT32_C(0x30C70C8D), UINT32_C(0x6D351640), UINT32_C(0xCE2361B8), ++ UINT32_C(0x8047D811), UINT32_C(0xDF8E2C81), UINT32_C(0x3F8B3D4F), ++ UINT32_C(0x33FA1F6C), UINT32_C(0x5D595477), UINT32_C(0xE29B8A91), ++ UINT32_C(0xF769FE5A), UINT32_C(0xD737B2A2), UINT32_C(0x26F0E606) }, ++ { UINT32_C(0xB8B31C6A), UINT32_C(0x70CBFA5D), UINT32_C(0x863D3AEA), ++ UINT32_C(0x0F883B4A), UINT32_C(0xE386AE2F), UINT32_C(0x156A4479), ++ UINT32_C(0xADE8A684), UINT32_C(0xA17A2FCD), UINT32_C(0xE2A7E335), ++ UINT32_C(0x78BDF958), UINT32_C(0x3B9E3041), UINT32_C(0xD1B4E673) } }, ++ { { UINT32_C(0x449A6D11), UINT32_C(0x1EAF48EC), UINT32_C(0x6D2FA7B9), ++ UINT32_C(0x6B94B8E4), UINT32_C(0x728E4C1B), UINT32_C(0x1D75D269), ++ UINT32_C(0xDD304E2C), UINT32_C(0x91123819), UINT32_C(0x88804F4B), ++ UINT32_C(0x0B34CAE3), UINT32_C(0xC5495E9A), UINT32_C(0x2BA192FB) }, ++ { UINT32_C(0xFF4D24BF), UINT32_C(0xC93FF6EF), UINT32_C(0x0342BA78), ++ UINT32_C(0xF8C2C0B0), UINT32_C(0x831EB94C), UINT32_C(0x8041F769), ++ UINT32_C(0x7782985E), UINT32_C(0x35310074), UINT32_C(0x3AF84E83), ++ UINT32_C(0xC755320B), UINT32_C(0x6F497E7F), UINT32_C(0x384B6D26) } }, ++ { { UINT32_C(0x17E6BD17), UINT32_C(0xEF92CD59), UINT32_C(0xA426965C), ++ UINT32_C(0xA087305B), UINT32_C(0xAC47F773), UINT32_C(0x13895CE7), ++ UINT32_C(0xE0BB2867), UINT32_C(0xB85F2A9F), UINT32_C(0x7CD7C58E), ++ UINT32_C(0x2926E6AA), UINT32_C(0x450459C5), UINT32_C(0xE544EDA6) }, ++ { UINT32_C(0xB90A9849), UINT32_C(0x73DBC351), UINT32_C(0x848EBE86), ++ UINT32_C(0x961183F6), UINT32_C(0x80534712), UINT32_C(0xC45BB210), ++ UINT32_C(0xA654D9A3), UINT32_C(0x379D08D7), UINT32_C(0xBD3FFA9C), ++ UINT32_C(0x5B97CEF2), UINT32_C(0xDDC2FCE5), UINT32_C(0x0F469F34) } }, ++ { { UINT32_C(0x0642F38D), UINT32_C(0x6D146108), UINT32_C(0xD21EB887), ++ UINT32_C(0x055171A0), UINT32_C(0xD0DCEB28), UINT32_C(0x28DFFAB4), ++ UINT32_C(0x98DE9CCD), UINT32_C(0x0D0E6312), UINT32_C(0x118C3C3F), ++ UINT32_C(0x750A9156), UINT32_C(0xB049D799), UINT32_C(0x8C1F1390) }, ++ { UINT32_C(0x439607C5), UINT32_C(0xE4823858), UINT32_C(0x5C111EAB), ++ UINT32_C(0x947E9BA0), UINT32_C(0xA355DF2E), UINT32_C(0x39C95616), ++ UINT32_C(0x10E54BDA), UINT32_C(0xF5F6B98E), UINT32_C(0x142B876A), ++ UINT32_C(0xB0E0B33D), UINT32_C(0xEA18C90C), UINT32_C(0x71197D73) } }, ++ { { UINT32_C(0xF52BE819), UINT32_C(0x36A5139D), UINT32_C(0x29A45D2B), ++ UINT32_C(0xF60DDF34), UINT32_C(0xE9220E34), UINT32_C(0x0727EFEC), ++ UINT32_C(0x4EF7F446), UINT32_C(0x431D3386), UINT32_C(0xFCC4962C), ++ UINT32_C(0xC3165A64), UINT32_C(0xD64362BB), UINT32_C(0xB7D926E1) }, ++ { UINT32_C(0xD45F9350), UINT32_C(0x216BC61F), UINT32_C(0xBBAED815), ++ UINT32_C(0xA974CB2F), UINT32_C(0x86FB2F76), UINT32_C(0x31DF342D), ++ UINT32_C(0x01D78314), UINT32_C(0x3AB67E05), UINT32_C(0xDEE33ED2), ++ UINT32_C(0x7AA951E0), UINT32_C(0xCEC78D94), UINT32_C(0x318FBBBD) } }, ++ { { UINT32_C(0xB8FE0204), UINT32_C(0xAD7EFB65), UINT32_C(0x230AB7F7), ++ UINT32_C(0x0432E1C5), UINT32_C(0x9C967400), UINT32_C(0x7563A62D), ++ UINT32_C(0x3524D4FF), UINT32_C(0xD88B9C74), UINT32_C(0xF1A823E3), ++ UINT32_C(0x16A1991C), UINT32_C(0xFA6F0FFB), UINT32_C(0xCF2F9BFE) }, ++ { UINT32_C(0xA50CA61F), UINT32_C(0x55AAA946), UINT32_C(0xFED4CAB3), ++ UINT32_C(0x8CBBD3C8), UINT32_C(0x7651365A), UINT32_C(0x03A0FAB8), ++ UINT32_C(0x62DC3913), UINT32_C(0x46B5234B), UINT32_C(0xB558CBBD), ++ UINT32_C(0xFD875B28), UINT32_C(0x11CEB361), UINT32_C(0xA48EC3AE) } }, ++ { { UINT32_C(0xB3ADBD8B), UINT32_C(0x5DD131A1), UINT32_C(0x29B45EF8), ++ UINT32_C(0xF9FBCA3A), UINT32_C(0x9341EE18), UINT32_C(0x02204866), ++ UINT32_C(0x83BF9618), UINT32_C(0x8D13B895), UINT32_C(0xE807459C), ++ UINT32_C(0x0E395BAE), UINT32_C(0xB190E7DB), UINT32_C(0xB9C110CC) }, ++ { UINT32_C(0x25D25063), UINT32_C(0xA0DC3452), UINT32_C(0x02371462), ++ UINT32_C(0x2FB78EC8), UINT32_C(0x8975C2D5), UINT32_C(0xC3A9E7BB), ++ UINT32_C(0x85A78264), UINT32_C(0x94666872), UINT32_C(0x8029AA92), ++ UINT32_C(0x480D2CC2), UINT32_C(0x5655726D), UINT32_C(0x237086C7) } }, ++ { { UINT32_C(0x65EB9EEE), UINT32_C(0x197F14BB), UINT32_C(0x9F12E5FD), ++ UINT32_C(0xFC93125C), UINT32_C(0x8BFBAE5E), UINT32_C(0x9C20BC53), ++ UINT32_C(0x4BC053BA), UINT32_C(0xB35E2154), UINT32_C(0x21C3898E), ++ UINT32_C(0xE5FA9CC7), UINT32_C(0xD42F950F), UINT32_C(0x502D72FF) }, ++ { UINT32_C(0xD1EB8C31), UINT32_C(0x6812D38A), UINT32_C(0x080D30BB), ++ UINT32_C(0x1F77F3F1), UINT32_C(0x5A8B1E98), UINT32_C(0x18D12833), ++ UINT32_C(0x299196CE), UINT32_C(0x7FD39FA9), UINT32_C(0xCF4ED6D6), ++ UINT32_C(0xFB8C9F11), UINT32_C(0xD6363194), UINT32_C(0x4C00F604) } }, ++ { { UINT32_C(0xFA2A21C2), UINT32_C(0x5C8AFCF9), UINT32_C(0x1928D133), ++ UINT32_C(0x71CBF282), UINT32_C(0x42B29506), UINT32_C(0x56BEF28E), ++ UINT32_C(0x70323DE2), UINT32_C(0xAFBA250C), UINT32_C(0x7DED2C30), ++ UINT32_C(0x3FE208D1), UINT32_C(0xCE9AA598), UINT32_C(0xBD2CD213) }, ++ { UINT32_C(0xCFEED070), UINT32_C(0x52C5EC52), UINT32_C(0xD3DA336B), ++ UINT32_C(0x0A7223E7), UINT32_C(0xCE156B46), UINT32_C(0x7156A4ED), ++ UINT32_C(0xED7E6159), UINT32_C(0x9AF6C499), UINT32_C(0x13C029AD), ++ UINT32_C(0x9D7A6797), UINT32_C(0x9018DC77), UINT32_C(0xE5B5C924) } }, ++ }, ++ { ++ { { UINT32_C(0xDE1E4E55), UINT32_C(0x3F2EFF53), UINT32_C(0xE4D3ECC4), ++ UINT32_C(0x6B749943), UINT32_C(0x0DDE190D), UINT32_C(0xAF10B18A), ++ UINT32_C(0xA26B0409), UINT32_C(0xF491B98D), UINT32_C(0xA2B1D944), ++ UINT32_C(0x66080782), UINT32_C(0x97E8C541), UINT32_C(0x59277DC6) }, ++ { UINT32_C(0x006F18AA), UINT32_C(0xFDBFC5F6), UINT32_C(0xFADD8BE1), ++ UINT32_C(0x435D165B), UINT32_C(0x57645EF4), UINT32_C(0x8E5D2638), ++ UINT32_C(0xA0258363), UINT32_C(0x31BCFDA6), UINT32_C(0xD35D2503), ++ UINT32_C(0xF5330AB8), UINT32_C(0xC7CAB285), UINT32_C(0xB71369F0) } }, ++ { { UINT32_C(0x40ACC5A8), UINT32_C(0xE6A19DCC), UINT32_C(0xDBC6DBF8), ++ UINT32_C(0x1C3A1FF1), UINT32_C(0xC6455613), UINT32_C(0xB4D89B9F), ++ UINT32_C(0xA7390D0E), UINT32_C(0x6CB0FE44), UINT32_C(0x59EA135A), ++ UINT32_C(0xADE197A4), UINT32_C(0x20680982), UINT32_C(0xDA6AA865) }, ++ { UINT32_C(0x5A442C1B), UINT32_C(0x03DB9BE9), UINT32_C(0x2BFB93F2), ++ UINT32_C(0x221A2D73), UINT32_C(0x753C196C), UINT32_C(0x44DEE8D4), ++ UINT32_C(0x0B7C6FF5), UINT32_C(0x59ADCC70), UINT32_C(0x4CA1B142), ++ UINT32_C(0xC6260EC2), UINT32_C(0x46CBD4F2), UINT32_C(0x4C3CB5C6) } }, ++ { { UINT32_C(0xA417111F), UINT32_C(0x8A15D6FE), UINT32_C(0x71D93FCC), ++ UINT32_C(0xFE4A16BD), UINT32_C(0x55BBE732), UINT32_C(0x7A7EE38C), ++ UINT32_C(0x1FF94A9D), UINT32_C(0xEFF146A5), UINT32_C(0xDD585AB5), ++ UINT32_C(0xE572D13E), UINT32_C(0x06491A5D), UINT32_C(0xD879790E) }, ++ { UINT32_C(0x2A58CB2E), UINT32_C(0x9C84E1C5), UINT32_C(0x6C938630), ++ UINT32_C(0xD79D1374), UINT32_C(0x385F06C7), UINT32_C(0xDB12CD9B), ++ UINT32_C(0x7A7759C3), UINT32_C(0x0C93EB97), UINT32_C(0x683BD706), ++ UINT32_C(0xF1F5B0FE), UINT32_C(0x85EC3D50), UINT32_C(0x541E4F72) } }, ++ { { UINT32_C(0x81833608), UINT32_C(0x9A0E1535), UINT32_C(0x6E2833AC), ++ UINT32_C(0x5CCE871E), UINT32_C(0xFB29777C), UINT32_C(0xC17059EA), ++ UINT32_C(0xE354CAFD), UINT32_C(0x7E40E5FA), UINT32_C(0x4D07C371), ++ UINT32_C(0x9CF59405), UINT32_C(0xA71C3945), UINT32_C(0x64CE36B2) }, ++ { UINT32_C(0x56CAF487), UINT32_C(0x69309E96), UINT32_C(0x1AE3454B), ++ UINT32_C(0x3D719E9F), UINT32_C(0xE25823B6), UINT32_C(0xF2164070), ++ UINT32_C(0x0BC27359), UINT32_C(0xEAD851BD), UINT32_C(0xB0925094), ++ UINT32_C(0x3D21BFE8), UINT32_C(0x34A97F4E), UINT32_C(0xA783B1E9) } }, ++ { { UINT32_C(0x9546491A), UINT32_C(0x406B0C26), UINT32_C(0xF293C4E5), ++ UINT32_C(0x9E5E15E2), UINT32_C(0x15B164DB), UINT32_C(0xC60D6413), ++ UINT32_C(0x0C75A78E), UINT32_C(0x0DA46F53), UINT32_C(0xEA0C656B), ++ UINT32_C(0x7C599BB7), UINT32_C(0x1B1A8122), UINT32_C(0x0F07A512) }, ++ { UINT32_C(0x15172686), UINT32_C(0x14C7204A), UINT32_C(0x5165625D), ++ UINT32_C(0x8FAEDFF8), UINT32_C(0x37AEDE40), UINT32_C(0x20F260CE), ++ UINT32_C(0x8F357FFE), UINT32_C(0xC81F771E), UINT32_C(0xB0912557), ++ UINT32_C(0x25499197), UINT32_C(0x4C739C74), UINT32_C(0x736197DC) } }, ++ { { UINT32_C(0x381B3462), UINT32_C(0x6151BAB1), UINT32_C(0x43DBD344), ++ UINT32_C(0x27E5A078), UINT32_C(0xA1C3E9FB), UINT32_C(0x2CB05BD6), ++ UINT32_C(0x27CF2A11), UINT32_C(0x2A759760), UINT32_C(0xFF43E702), ++ UINT32_C(0x0ADCF9DB), UINT32_C(0x1F484146), UINT32_C(0x4BBF03E2) }, ++ { UINT32_C(0x55B6521A), UINT32_C(0x0E74997F), UINT32_C(0xADE17086), ++ UINT32_C(0x15629231), UINT32_C(0x7493FC58), UINT32_C(0x7F143E86), ++ UINT32_C(0xAF8B9670), UINT32_C(0x60869095), UINT32_C(0x7E524869), ++ UINT32_C(0x482CFCD7), UINT32_C(0x1D454756), UINT32_C(0x9E8060C3) } }, ++ { { UINT32_C(0xC88B4D3B), UINT32_C(0xE495747A), UINT32_C(0xAE8A948F), ++ UINT32_C(0xB7559835), UINT32_C(0xDEB56853), UINT32_C(0x67EEF3A9), ++ UINT32_C(0x9DEE5ADF), UINT32_C(0x0E20E269), UINT32_C(0x61F0A1AA), ++ UINT32_C(0x9031AF67), UINT32_C(0x683402BC), UINT32_C(0x76669D32) }, ++ { UINT32_C(0x06718B16), UINT32_C(0x90BD2313), UINT32_C(0x864EFDAC), ++ UINT32_C(0xE1B22A21), UINT32_C(0x6620089F), UINT32_C(0xE4FFE909), ++ UINT32_C(0x3428E2D9), UINT32_C(0xB84C842E), UINT32_C(0xFE3871FC), ++ UINT32_C(0x0E28C880), UINT32_C(0x3F21C200), UINT32_C(0x8932F698) } }, ++ { { UINT32_C(0x6C90EA5D), UINT32_C(0x603F00CE), UINT32_C(0x40A2F693), ++ UINT32_C(0x64739307), UINT32_C(0x2174E517), UINT32_C(0xAF65148B), ++ UINT32_C(0xF784AE74), UINT32_C(0x162FC2CA), UINT32_C(0x4D5F6458), ++ UINT32_C(0x0D9A8825), UINT32_C(0x43AACE93), UINT32_C(0x0C2D5861) }, ++ { UINT32_C(0x9F73CBFC), UINT32_C(0xBF1EADDE), UINT32_C(0x9C68BBCA), ++ UINT32_C(0xDE9C34C0), UINT32_C(0x67EF8A1A), UINT32_C(0x6D95602D), ++ UINT32_C(0xA791B241), UINT32_C(0x0AF2581B), UINT32_C(0x12CAD604), ++ UINT32_C(0x14F77361), UINT32_C(0xE2ACD1AD), UINT32_C(0x19F2354D) } }, ++ { { UINT32_C(0x0D60F263), UINT32_C(0x272F78F6), UINT32_C(0x208FD785), ++ UINT32_C(0xE7A8F4AF), UINT32_C(0x36554F2C), UINT32_C(0x10E191C6), ++ UINT32_C(0xFD5CD0B3), UINT32_C(0x06D88551), UINT32_C(0x57069C27), ++ UINT32_C(0x29BF8568), UINT32_C(0x28AA6FAD), UINT32_C(0x3CE7ECD8) }, ++ { UINT32_C(0xE9F1A1D8), UINT32_C(0x7D8A92D0), UINT32_C(0xD30B5725), ++ UINT32_C(0xD40C7FF8), UINT32_C(0xF54CAEB8), UINT32_C(0x16BE6CB2), ++ UINT32_C(0x14CB0A91), UINT32_C(0x14CA471A), UINT32_C(0x02733CAE), ++ UINT32_C(0xD5FF15B8), UINT32_C(0xDAA76580), UINT32_C(0xCAF88D87) } }, ++ { { UINT32_C(0x2C046592), UINT32_C(0x39430E22), UINT32_C(0x1AD26706), ++ UINT32_C(0x6CDAE81F), UINT32_C(0xA25D9106), UINT32_C(0x8C102159), ++ UINT32_C(0x27CA9F30), UINT32_C(0x9A440572), UINT32_C(0x70287FBC), ++ UINT32_C(0x8D34C430), UINT32_C(0x29DB8AFA), UINT32_C(0x9003A455) }, ++ { UINT32_C(0x7FD971AD), UINT32_C(0x91364CC3), UINT32_C(0x9C60EDB7), ++ UINT32_C(0x7B3AA048), UINT32_C(0x526F4DD8), UINT32_C(0x58B0E008), ++ UINT32_C(0xD86D98AE), UINT32_C(0xB7674454), UINT32_C(0xB2B45747), ++ UINT32_C(0xC25F4051), UINT32_C(0xCC043E8F), UINT32_C(0x8243BF9C) } }, ++ { { UINT32_C(0x43A0C387), UINT32_C(0xA89641C6), UINT32_C(0x87B9AB17), ++ UINT32_C(0x6D92205C), UINT32_C(0xDAA0E102), UINT32_C(0x37D691F4), ++ UINT32_C(0xCDE5312E), UINT32_C(0xEB3E52D7), UINT32_C(0x16F518A2), ++ UINT32_C(0x60D3C099), UINT32_C(0x8A378EEB), UINT32_C(0x7854C051) }, ++ { UINT32_C(0x4BBCAAC5), UINT32_C(0x7359DB51), UINT32_C(0x1713F102), ++ UINT32_C(0xF5B1B68C), UINT32_C(0xE4398DE5), UINT32_C(0xDAEAE645), ++ UINT32_C(0xD1ABFB82), UINT32_C(0x8C8ACB6C), UINT32_C(0x136423E2), ++ UINT32_C(0x2E8B76C3), UINT32_C(0xA8BA015E), UINT32_C(0x509DCB2D) } }, ++ { { UINT32_C(0x9AD9C59C), UINT32_C(0x2FF36815), UINT32_C(0x658E65B9), ++ UINT32_C(0xB189A4E8), UINT32_C(0xEA786AD2), UINT32_C(0x7D33DDBB), ++ UINT32_C(0xC0D2DC05), UINT32_C(0x96D0D648), UINT32_C(0xBFA03BE9), ++ UINT32_C(0x05E49256), UINT32_C(0x8BAF5A1C), UINT32_C(0x0EA4E7A6) }, ++ { UINT32_C(0x9F9AD5A8), UINT32_C(0x3DDCE0B0), UINT32_C(0x9E49C2CB), ++ UINT32_C(0xF7809195), UINT32_C(0x21782C2F), UINT32_C(0xBFCEF29D), ++ UINT32_C(0xC41BFD97), UINT32_C(0xE57AD39F), UINT32_C(0x1355AD19), ++ UINT32_C(0xC04B93E8), UINT32_C(0x59440F9F), UINT32_C(0xAABC9E6E) } }, ++ { { UINT32_C(0x5B6459DA), UINT32_C(0x7AA48103), UINT32_C(0x0166E880), ++ UINT32_C(0x83EF7477), UINT32_C(0x511CCE80), UINT32_C(0x536182B1), ++ UINT32_C(0x73CA55AA), UINT32_C(0xAFDD2EEE), UINT32_C(0xA8716143), ++ UINT32_C(0xAB910D0D), UINT32_C(0x83707250), UINT32_C(0x8BEAA42B) }, ++ { UINT32_C(0x8DA2AB3D), UINT32_C(0x4BCCFD89), UINT32_C(0xEC6AA105), ++ UINT32_C(0x1DBF68A9), UINT32_C(0x68EB42DA), UINT32_C(0x32CE6108), ++ UINT32_C(0x8EA62E37), UINT32_C(0x5C2C2C85), UINT32_C(0xCD3088A7), ++ UINT32_C(0x1ED2791F), UINT32_C(0xFF05070C), UINT32_C(0x496B4FEB) } }, ++ { { UINT32_C(0x0AA629C5), UINT32_C(0x9FA9121A), UINT32_C(0x57558BEC), ++ UINT32_C(0xE286CFF1), UINT32_C(0x59813A4D), UINT32_C(0x4D9D657E), ++ UINT32_C(0x26103519), UINT32_C(0xC4676A16), UINT32_C(0x2BD4DF80), ++ UINT32_C(0x616160B3), UINT32_C(0x30FBAE87), UINT32_C(0x26FB78CC) }, ++ { UINT32_C(0x8F0F66BD), UINT32_C(0x09607013), UINT32_C(0x03D9B90D), ++ UINT32_C(0xDD4E2D0C), UINT32_C(0x600D1B12), UINT32_C(0x5D3A8912), ++ UINT32_C(0x4308E126), UINT32_C(0xF76DD52F), UINT32_C(0x9E4FCCA6), ++ UINT32_C(0x97CC0409), UINT32_C(0x04C4DF7B), UINT32_C(0x0CFBE311) } }, ++ { { UINT32_C(0x28437A23), UINT32_C(0x6CA62C12), UINT32_C(0x40E7A003), ++ UINT32_C(0x0DAF3353), UINT32_C(0xD20F8079), UINT32_C(0x1FD07DF0), ++ UINT32_C(0x3BBC9749), UINT32_C(0xEAE7969C), UINT32_C(0x9ECAD022), ++ UINT32_C(0x55861AFA), UINT32_C(0x1FBC3D4C), UINT32_C(0xEC41DAD9) }, ++ { UINT32_C(0xDA8B261B), UINT32_C(0x1FE4CB40), UINT32_C(0x427C5C9D), ++ UINT32_C(0xC2671AB6), UINT32_C(0x261D4939), UINT32_C(0xDFCDA7B8), ++ UINT32_C(0x2072C0B9), UINT32_C(0x9E7B802B), UINT32_C(0xC7828CC2), ++ UINT32_C(0x3AFEE900), UINT32_C(0xF6DE987F), UINT32_C(0x3488BF28) } }, ++ { { UINT32_C(0x7BE1F89E), UINT32_C(0x33B9F2DE), UINT32_C(0x299B15C9), ++ UINT32_C(0xD4E80821), UINT32_C(0x0E13F37F), UINT32_C(0x87A3067A), ++ UINT32_C(0x55FD239F), UINT32_C(0x6D4C09ED), UINT32_C(0x92EF014F), ++ UINT32_C(0x48B1042D), UINT32_C(0xB385A759), UINT32_C(0xA382B2E0) }, ++ { UINT32_C(0x7F6F84F8), UINT32_C(0xBF571BB0), UINT32_C(0x0CE87F50), ++ UINT32_C(0x25AFFA37), UINT32_C(0xFE54F1BC), UINT32_C(0x826906D3), ++ UINT32_C(0xC53AE76A), UINT32_C(0x6B0421F4), UINT32_C(0x4855EB3C), ++ UINT32_C(0x44F85A3A), UINT32_C(0x8D1F2B27), UINT32_C(0xF49E2151) } }, ++ }, ++ { ++ { { UINT32_C(0x5E3C647B), UINT32_C(0xC0426B77), UINT32_C(0x8CF05348), ++ UINT32_C(0xBFCBD939), UINT32_C(0x172C0D3D), UINT32_C(0x31D312E3), ++ UINT32_C(0xEE754737), UINT32_C(0x5F49FDE6), UINT32_C(0x6DA7EE61), ++ UINT32_C(0x895530F0), UINT32_C(0xE8B3A5FB), UINT32_C(0xCF281B0A) }, ++ { UINT32_C(0x41B8A543), UINT32_C(0xFD149735), UINT32_C(0x3080DD30), ++ UINT32_C(0x41A625A7), UINT32_C(0x653908CF), UINT32_C(0xE2BAAE07), ++ UINT32_C(0xBA02A278), UINT32_C(0xC3D01436), UINT32_C(0x7B21B8F8), ++ UINT32_C(0xA0D0222E), UINT32_C(0xD7EC1297), UINT32_C(0xFDC270E9) } }, ++ { { UINT32_C(0x9F101E64), UINT32_C(0x06A67BD2), UINT32_C(0xE1733A4A), ++ UINT32_C(0xCB6E0AC7), UINT32_C(0x97BC62D2), UINT32_C(0xEE0B5D51), ++ UINT32_C(0x24C51874), UINT32_C(0x52B17039), UINT32_C(0x82A1A0D5), ++ UINT32_C(0xFED1F423), UINT32_C(0xDB6270AC), UINT32_C(0x55D90569) }, ++ { UINT32_C(0x5D73D533), UINT32_C(0x36BE4A9C), UINT32_C(0x976ED4D5), ++ UINT32_C(0xBE9266D6), UINT32_C(0xB8F8074B), UINT32_C(0xC17436D3), ++ UINT32_C(0x718545C6), UINT32_C(0x3BB4D399), UINT32_C(0x5C757D21), ++ UINT32_C(0x8E1EA355), UINT32_C(0x8C474366), UINT32_C(0xF7EDBC97) } }, ++ { { UINT32_C(0x6EA83242), UINT32_C(0xEC72C650), UINT32_C(0x1B2D237F), ++ UINT32_C(0xF7DE7BE5), UINT32_C(0x1819EFB0), UINT32_C(0x3C5E2200), ++ UINT32_C(0x8CDDE870), UINT32_C(0xDF5AB6D6), UINT32_C(0x92A87AEE), ++ UINT32_C(0x75A44E9D), UINT32_C(0xBCF77F19), UINT32_C(0xBDDC46F4) }, ++ { UINT32_C(0x669B674D), UINT32_C(0x8191EFBD), UINT32_C(0xED71768F), ++ UINT32_C(0x52884DF9), UINT32_C(0x65CF242C), UINT32_C(0xE62BE582), ++ UINT32_C(0x80B1D17B), UINT32_C(0xAE99A3B1), UINT32_C(0x92DE59A9), ++ UINT32_C(0x48CBB446), UINT32_C(0x2DCB3CE2), UINT32_C(0xD3C226CF) } }, ++ { { UINT32_C(0x9FD94EC4), UINT32_C(0x9580CDFB), UINT32_C(0x28631AD9), ++ UINT32_C(0xED273A6C), UINT32_C(0xC327F3E7), UINT32_C(0x5D3D5F77), ++ UINT32_C(0x35353C5F), UINT32_C(0x05D5339C), UINT32_C(0x5C258EB1), ++ UINT32_C(0xC56FB5FE), UINT32_C(0xEDCE1F79), UINT32_C(0xEFF8425E) }, ++ { UINT32_C(0xCF83CF9C), UINT32_C(0xAB7AA141), UINT32_C(0x207D6D4F), ++ UINT32_C(0xBD2A690A), UINT32_C(0x458D9E52), UINT32_C(0xE1241491), ++ UINT32_C(0xAA7F0F31), UINT32_C(0xDD2448CC), UINT32_C(0xF0FDA7AB), ++ UINT32_C(0xEC58D3C7), UINT32_C(0xC91BBA4D), UINT32_C(0x7B6E122D) } }, ++ { { UINT32_C(0xB1B48156), UINT32_C(0x2A2DEDAF), UINT32_C(0xBB93DB87), ++ UINT32_C(0xA0A2C63A), UINT32_C(0x08ACD99E), UINT32_C(0xC6559078), ++ UINT32_C(0xFE4AC331), UINT32_C(0x03EA42AF), UINT32_C(0xEB180ED6), ++ UINT32_C(0x43D2C14A), UINT32_C(0xB1156A1A), UINT32_C(0xC2F293DD) }, ++ { UINT32_C(0xA9D81249), UINT32_C(0x1FAFABF5), UINT32_C(0x9A8EEE87), ++ UINT32_C(0x39ADDEAD), UINT32_C(0x119E2E92), UINT32_C(0x21E206F2), ++ UINT32_C(0xD74DCEB6), UINT32_C(0xBC5DCC2E), UINT32_C(0x0A73A358), ++ UINT32_C(0x86647FA3), UINT32_C(0x2F53F642), UINT32_C(0xEAD8BEA4) } }, ++ { { UINT32_C(0x91C09091), UINT32_C(0x636225F5), UINT32_C(0x71BDCFDF), ++ UINT32_C(0xCCF5070A), UINT32_C(0xB9668EE2), UINT32_C(0x0EF8D625), ++ UINT32_C(0xB5E04E4F), UINT32_C(0x57BDF6CD), UINT32_C(0x7C75EA43), ++ UINT32_C(0xFC6AB0A6), UINT32_C(0xF7FD6EF3), UINT32_C(0xEB6B8AFB) }, ++ { UINT32_C(0x2A3DF404), UINT32_C(0x5B2AEEF0), UINT32_C(0xB9823197), ++ UINT32_C(0x31FD3B48), UINT32_C(0x83A7EB23), UINT32_C(0x56226DB6), ++ UINT32_C(0x5BB1ED2F), UINT32_C(0x3772C21E), UINT32_C(0xCD1ABA6A), ++ UINT32_C(0x3E833624), UINT32_C(0xAC672DAD), UINT32_C(0xBAE58FFA) } }, ++ { { UINT32_C(0x31BA1705), UINT32_C(0xCE92224D), UINT32_C(0xF0197F63), ++ UINT32_C(0x022C6ED2), UINT32_C(0xA4DC1113), UINT32_C(0x21F18D99), ++ UINT32_C(0x03616BF1), UINT32_C(0x5CD04DE8), UINT32_C(0x9FF12E08), ++ UINT32_C(0x6F900679), UINT32_C(0x48E61DDF), UINT32_C(0xF59A3315) }, ++ { UINT32_C(0xB51BD024), UINT32_C(0x9474D42C), UINT32_C(0x9051E49D), ++ UINT32_C(0x11A0A413), UINT32_C(0xDCE70EDB), UINT32_C(0x79C92705), ++ UINT32_C(0x34198426), UINT32_C(0x113CE278), UINT32_C(0xEA8616D2), ++ UINT32_C(0x8978396F), UINT32_C(0xEA894C36), UINT32_C(0x9A2A14D0) } }, ++ { { UINT32_C(0x604F6E4A), UINT32_C(0x4F1E1254), UINT32_C(0x0187D585), ++ UINT32_C(0x4513B088), UINT32_C(0x19E0F482), UINT32_C(0x9022F257), ++ UINT32_C(0xE2239DBF), UINT32_C(0x51FB2A80), UINT32_C(0x998ED9D5), ++ UINT32_C(0x49940D9E), UINT32_C(0x6C932C5D), UINT32_C(0x0583D241) }, ++ { UINT32_C(0xF25B73F7), UINT32_C(0x1188CEC8), UINT32_C(0x3B3D06CD), ++ UINT32_C(0xA28788CB), UINT32_C(0xA083DB5A), UINT32_C(0xDEA194EC), ++ UINT32_C(0x22DF4272), UINT32_C(0xD93A4F7E), UINT32_C(0x6A009C49), ++ UINT32_C(0x8D84E4BF), UINT32_C(0x3E3E4A9E), UINT32_C(0x893D8DD9) } }, ++ { { UINT32_C(0x33D31160), UINT32_C(0x35E909EA), UINT32_C(0x57172F1E), ++ UINT32_C(0x50203168), UINT32_C(0x51F3D866), UINT32_C(0x2707FC44), ++ UINT32_C(0xD2442A5D), UINT32_C(0xEB9D2018), UINT32_C(0x5DBFE378), ++ UINT32_C(0x904D7209), UINT32_C(0x5F13CF77), UINT32_C(0x6DB132A3) }, ++ { UINT32_C(0x7A3AF54B), UINT32_C(0x9D842BA6), UINT32_C(0x5AA5B4F9), ++ UINT32_C(0x4E16EA19), UINT32_C(0xAF24228E), UINT32_C(0x2BBA457C), ++ UINT32_C(0x16F3C5FE), UINT32_C(0xCC04B3BB), UINT32_C(0x77E64944), ++ UINT32_C(0xBAFAC516), UINT32_C(0xF08BCEE0), UINT32_C(0x31580A34) } }, ++ { { UINT32_C(0x20C30ACA), UINT32_C(0xC6808DEE), UINT32_C(0xA3EA2056), ++ UINT32_C(0xDADD216F), UINT32_C(0x7A4A9F9D), UINT32_C(0xD331394E), ++ UINT32_C(0x424C4026), UINT32_C(0x9E0441AD), UINT32_C(0x0AEB5350), ++ UINT32_C(0xAEED102F), UINT32_C(0xD45B09DA), UINT32_C(0xC6697FBB) }, ++ { UINT32_C(0xDEAC1496), UINT32_C(0x52A2590E), UINT32_C(0x250B87AF), ++ UINT32_C(0x7142B831), UINT32_C(0x6D0784A8), UINT32_C(0xBEF2E68B), ++ UINT32_C(0xA5F71CEF), UINT32_C(0x5F62593A), UINT32_C(0xB5DA51A3), ++ UINT32_C(0x3B8F7616), UINT32_C(0xB680F5FE), UINT32_C(0xC7A6FA0D) } }, ++ { { UINT32_C(0x99C8227C), UINT32_C(0x36C21DE6), UINT32_C(0xC26813B1), ++ UINT32_C(0xBEE3E867), UINT32_C(0xBDD91549), UINT32_C(0x9B05F2E6), ++ UINT32_C(0xA7D1110F), UINT32_C(0x34FF2B1F), UINT32_C(0x37F67FD0), ++ UINT32_C(0x8E6953B9), UINT32_C(0xC3183E20), UINT32_C(0x56C7F18B) }, ++ { UINT32_C(0x9E2019ED), UINT32_C(0x48AF46DE), UINT32_C(0xF551BBBF), ++ UINT32_C(0xDEAF972E), UINT32_C(0xCC5E3EEF), UINT32_C(0x88EE38F8), ++ UINT32_C(0x392D6BAF), UINT32_C(0xFB8D7A44), UINT32_C(0x0127187D), ++ UINT32_C(0x32293BFC), UINT32_C(0xE58647CC), UINT32_C(0x7689E767) } }, ++ { { UINT32_C(0x52168013), UINT32_C(0x00CE901B), UINT32_C(0x837AAE71), ++ UINT32_C(0xC6BF8E38), UINT32_C(0x167677D8), UINT32_C(0xD6F11EFA), ++ UINT32_C(0x86C8E5CF), UINT32_C(0xE53BB485), UINT32_C(0xC48E74AB), ++ UINT32_C(0x671167CE), UINT32_C(0x8AD720A7), UINT32_C(0x8A40218C) }, ++ { UINT32_C(0xE7C1191A), UINT32_C(0x81E827A6), UINT32_C(0xADDB153D), ++ UINT32_C(0x54058F8D), UINT32_C(0x0D950FA2), UINT32_C(0x0BAF2925), ++ UINT32_C(0x576DDA13), UINT32_C(0xC244674D), UINT32_C(0x41BCD13B), ++ UINT32_C(0x8C4630AE), UINT32_C(0x5A077419), UINT32_C(0x6C2127BF) } }, ++ { { UINT32_C(0xA83C501F), UINT32_C(0xCF977FD5), UINT32_C(0xB6AB176F), ++ UINT32_C(0xD7C6DF36), UINT32_C(0x397BC6B5), UINT32_C(0x117F6331), ++ UINT32_C(0xF7A2D491), UINT32_C(0x72A6078B), UINT32_C(0x5242FE2E), ++ UINT32_C(0xE5A2AAED), UINT32_C(0xFEBDC212), UINT32_C(0x88ECFFDC) }, ++ { UINT32_C(0xCE33BA21), UINT32_C(0xF2DBBF50), UINT32_C(0xCEB19F07), ++ UINT32_C(0xE1343B76), UINT32_C(0xD2C28F71), UINT32_C(0x1F32D4C9), ++ UINT32_C(0x18587685), UINT32_C(0x93FC64B4), UINT32_C(0xBA1F8BD1), ++ UINT32_C(0x39CEEF9B), UINT32_C(0x8D6D6BB0), UINT32_C(0x99C36A78) } }, ++ { { UINT32_C(0x3E9561CF), UINT32_C(0x0D063817), UINT32_C(0x3D33704D), ++ UINT32_C(0x1D8646AA), UINT32_C(0x7A08BA33), UINT32_C(0x8C451384), ++ UINT32_C(0xE02D6624), UINT32_C(0x96446BD3), UINT32_C(0x2D6F4166), ++ UINT32_C(0x749849F0), UINT32_C(0x14268BF0), UINT32_C(0xE364DA01) }, ++ { UINT32_C(0x9AEBFCFD), UINT32_C(0x7CE4587E), UINT32_C(0x56234393), ++ UINT32_C(0xD4686064), UINT32_C(0x16DF73B2), UINT32_C(0x00231D51), ++ UINT32_C(0x7279C78C), UINT32_C(0xF6A969B7), UINT32_C(0x6CB4117C), ++ UINT32_C(0x1FF1F6B6), UINT32_C(0xD3EAB680), UINT32_C(0x30AEBC39) } }, ++ { { UINT32_C(0x93EF00B9), UINT32_C(0x5CC97E64), UINT32_C(0x972345AE), ++ UINT32_C(0xDAE13841), UINT32_C(0x4788F43C), UINT32_C(0x85839184), ++ UINT32_C(0xE2E6CF3E), UINT32_C(0xD0FF521E), UINT32_C(0x4B707C86), ++ UINT32_C(0xAED14A5B), UINT32_C(0xD2523CF7), UINT32_C(0x7EAAE4A6) }, ++ { UINT32_C(0x024C8AC6), UINT32_C(0x266472C5), UINT32_C(0xC0170051), ++ UINT32_C(0xE47E1522), UINT32_C(0x73826BAE), UINT32_C(0x7B83DA61), ++ UINT32_C(0xCF543F0D), UINT32_C(0xE97E19F5), UINT32_C(0x20BF38E2), ++ UINT32_C(0x5D5248FA), UINT32_C(0xDF56A037), UINT32_C(0x8A7C2F7D) } }, ++ { { UINT32_C(0x87B0526C), UINT32_C(0xB04659DD), UINT32_C(0x2307565E), ++ UINT32_C(0x593C604A), UINT32_C(0x7C630AB8), UINT32_C(0x49E52225), ++ UINT32_C(0xDCE9CD23), UINT32_C(0x24C1D0C6), UINT32_C(0x85177079), ++ UINT32_C(0x6FDB241C), UINT32_C(0xF250C351), UINT32_C(0x5F521D19) }, ++ { UINT32_C(0xA6FB61DF), UINT32_C(0xFB56134B), UINT32_C(0xD75C07ED), ++ UINT32_C(0xA4E70D69), UINT32_C(0x7D8825A8), UINT32_C(0xB7A82448), ++ UINT32_C(0xDD64BBCC), UINT32_C(0xA3AEA7D4), UINT32_C(0x8692F539), ++ UINT32_C(0xD53E6E6C), UINT32_C(0xF7AA4BC0), UINT32_C(0x8DDDA83B) } }, ++ }, ++ { ++ { { UINT32_C(0xDD93D50A), UINT32_C(0x140A0F9F), UINT32_C(0x83B7ABAC), ++ UINT32_C(0x4799FFDE), UINT32_C(0x04A1F742), UINT32_C(0x78FF7C23), ++ UINT32_C(0x195BA34E), UINT32_C(0xC0568F51), UINT32_C(0x3B7F78B4), ++ UINT32_C(0xE9718360), UINT32_C(0xF9EFAA53), UINT32_C(0x9CFD1FF1) }, ++ { UINT32_C(0xBB06022E), UINT32_C(0xE924D2C5), UINT32_C(0xFAA2AF6D), ++ UINT32_C(0x9987FA86), UINT32_C(0x6EE37E0F), UINT32_C(0x4B12E73F), ++ UINT32_C(0x5E5A1DDE), UINT32_C(0x1836FDFA), UINT32_C(0x9DCD6416), ++ UINT32_C(0x7F1B9225), UINT32_C(0x677544D8), UINT32_C(0xCB2C1B4D) } }, ++ { { UINT32_C(0x9C213D95), UINT32_C(0x0254486D), UINT32_C(0xCB2F6E94), ++ UINT32_C(0x68A9DB56), UINT32_C(0x000F5491), UINT32_C(0xFB5858BA), ++ UINT32_C(0x34009FB6), UINT32_C(0x1315BDD9), UINT32_C(0xC42BDE30), ++ UINT32_C(0xB18A8E0A), UINT32_C(0xF1070358), UINT32_C(0xFDCF93D1) }, ++ { UINT32_C(0x3022937E), UINT32_C(0xBEB1DB75), UINT32_C(0xCAC20DB4), ++ UINT32_C(0x9B9ECA7A), UINT32_C(0xE4122B20), UINT32_C(0x152214D4), ++ UINT32_C(0xAABCCC7B), UINT32_C(0xD3E673F2), UINT32_C(0xAED07571), ++ UINT32_C(0x94C50F64), UINT32_C(0xE66B4F17), UINT32_C(0xD767059A) } }, ++ { { UINT32_C(0xDCD6D14B), UINT32_C(0x40336B12), UINT32_C(0xE3B4919C), ++ UINT32_C(0xF6BCFF5D), UINT32_C(0x9C841F0C), UINT32_C(0xC337048D), ++ UINT32_C(0x1D617F50), UINT32_C(0x4CE6D025), UINT32_C(0x8117D379), ++ UINT32_C(0x00FEF219), UINT32_C(0xF95BE243), UINT32_C(0x18B7C4E9) }, ++ { UINT32_C(0x38DF08FF), UINT32_C(0x98DE119E), UINT32_C(0x8D772D20), ++ UINT32_C(0xDFD803BD), UINT32_C(0x0F9678BD), UINT32_C(0x94125B72), ++ UINT32_C(0x334ACE30), UINT32_C(0xFC5B57CD), UINT32_C(0xB7E86E04), ++ UINT32_C(0x09486527), UINT32_C(0x6E552039), UINT32_C(0xFE9F8BCC) } }, ++ { { UINT32_C(0xD6F5A10E), UINT32_C(0x3B75C45B), UINT32_C(0xC1C35F38), ++ UINT32_C(0xFD4680F4), UINT32_C(0xF8E0A113), UINT32_C(0x5450227D), ++ UINT32_C(0x73DDBA24), UINT32_C(0x5E69F1AE), UINT32_C(0x57F24645), ++ UINT32_C(0x2007B80E), UINT32_C(0x3D159741), UINT32_C(0xC63695DC) }, ++ { UINT32_C(0x4530F623), UINT32_C(0xCBE54D29), UINT32_C(0x2869586B), ++ UINT32_C(0x986AD573), UINT32_C(0x4CC39F73), UINT32_C(0xE19F7059), ++ UINT32_C(0x2B1B8DA9), UINT32_C(0x80F00AB3), UINT32_C(0x73F68D26), ++ UINT32_C(0xB765AAF9), UINT32_C(0xE993F829), UINT32_C(0xBC79A394) } }, ++ { { UINT32_C(0xF310D2A0), UINT32_C(0x9C441043), UINT32_C(0xDC5EB106), ++ UINT32_C(0x2865EE58), UINT32_C(0x9CB8065C), UINT32_C(0x71A95922), ++ UINT32_C(0xA052AF0F), UINT32_C(0x8EB3A733), UINT32_C(0xB09D716E), ++ UINT32_C(0x56009F42), UINT32_C(0xABCBE6AD), UINT32_C(0xA7F923C5) }, ++ { UINT32_C(0xFA375C01), UINT32_C(0x263B7669), UINT32_C(0x21EF27A2), ++ UINT32_C(0x641C47E5), UINT32_C(0xB08FFD25), UINT32_C(0xA89B474E), ++ UINT32_C(0xF0A239F3), UINT32_C(0x5BE8EC3F), UINT32_C(0x242A6C5A), ++ UINT32_C(0x0E79957A), UINT32_C(0x0C6C75F5), UINT32_C(0x1DFB26D0) } }, ++ { { UINT32_C(0x9DFBF22A), UINT32_C(0x2FD97B9B), UINT32_C(0x5643532D), ++ UINT32_C(0xDEC16CC8), UINT32_C(0x60FEE7C3), UINT32_C(0xDF0E6E39), ++ UINT32_C(0x545860C8), UINT32_C(0xD09AD7B6), UINT32_C(0x73FC3B7C), ++ UINT32_C(0xCC16E984), UINT32_C(0x0D4E1555), UINT32_C(0x6CE734C1) }, ++ { UINT32_C(0x4B5F6032), UINT32_C(0xC6EFE68B), UINT32_C(0x14F54073), ++ UINT32_C(0x3A64F34C), UINT32_C(0xAC44DC95), UINT32_C(0x25DA689C), ++ UINT32_C(0x5358AD8A), UINT32_C(0x990C477E), UINT32_C(0xF36DA7DE), ++ UINT32_C(0x00E958A5), UINT32_C(0xC9B6F161), UINT32_C(0x902B7360) } }, ++ { { UINT32_C(0x9347B90A), UINT32_C(0x454AB42C), UINT32_C(0xA698B02B), ++ UINT32_C(0xCAEBE64A), UINT32_C(0xFB86FA40), UINT32_C(0x119CDC69), ++ UINT32_C(0xC3109281), UINT32_C(0x2E5CB7AD), UINT32_C(0xCD0C3D00), ++ UINT32_C(0x67BB1EC5), UINT32_C(0x83F25BBF), UINT32_C(0x5D430BC7) }, ++ { UINT32_C(0x5CDE0ABB), UINT32_C(0x69FD84A8), UINT32_C(0x9816B688), ++ UINT32_C(0x69DA263E), UINT32_C(0x0E53CBB8), UINT32_C(0xE52D93DF), ++ UINT32_C(0xADD2D5A7), UINT32_C(0x42CF6F25), UINT32_C(0xC87CA88F), ++ UINT32_C(0x227BA59D), UINT32_C(0xDA738554), UINT32_C(0x7A1CA876) } }, ++ { { UINT32_C(0x1CAC82C4), UINT32_C(0x3FA5C105), UINT32_C(0x8A78C9BE), ++ UINT32_C(0x23C76087), UINT32_C(0x1C5CFA42), UINT32_C(0xE98CDAD6), ++ UINT32_C(0x0A6C0421), UINT32_C(0x09C30252), UINT32_C(0x42FC61B9), ++ UINT32_C(0x149BAC7C), UINT32_C(0x3004A3E2), UINT32_C(0x3A1C22AC) }, ++ { UINT32_C(0x202C7FED), UINT32_C(0xDE6B0D6E), UINT32_C(0xE7E63052), ++ UINT32_C(0xB2457377), UINT32_C(0x3706B3EF), UINT32_C(0x31725FD4), ++ UINT32_C(0x2B1AFDBF), UINT32_C(0xE16A347D), UINT32_C(0x8C29CF66), ++ UINT32_C(0xBE4850C4), UINT32_C(0x2939F23C), UINT32_C(0x8F51CC4D) } }, ++ { { UINT32_C(0x219AE6C1), UINT32_C(0x169E025B), UINT32_C(0x116E1CA1), ++ UINT32_C(0x55FF526F), UINT32_C(0xB191F55D), UINT32_C(0x01B810A3), ++ UINT32_C(0x29588A69), UINT32_C(0x2D981272), UINT32_C(0x48B92199), ++ UINT32_C(0x53C93770), UINT32_C(0x8A85236F), UINT32_C(0x8C7DD84E) }, ++ { UINT32_C(0xCAACF958), UINT32_C(0x293D48B6), UINT32_C(0x43572B30), ++ UINT32_C(0x1F084ACB), UINT32_C(0xFAD91F28), UINT32_C(0x628BFA2D), ++ UINT32_C(0x829386AF), UINT32_C(0x8D627B11), UINT32_C(0xD44A77BE), ++ UINT32_C(0x3EC1DD00), UINT32_C(0x649AC7F0), UINT32_C(0x8D3B0D08) } }, ++ { { UINT32_C(0x177513BF), UINT32_C(0x00A93DAA), UINT32_C(0x42AD79E1), ++ UINT32_C(0x2EF0B96F), UINT32_C(0xA07129D9), UINT32_C(0x81F5AAF1), ++ UINT32_C(0x923F2449), UINT32_C(0xFC04B7EF), UINT32_C(0x60CDB1B7), ++ UINT32_C(0x855DA795), UINT32_C(0xAD5D61D4), UINT32_C(0xB1EB5DAB) }, ++ { UINT32_C(0x353FD028), UINT32_C(0xD2CEF1AE), UINT32_C(0x9EE94847), ++ UINT32_C(0xC21D5439), UINT32_C(0x0380C1A8), UINT32_C(0x9ED552BB), ++ UINT32_C(0x2BAC328F), UINT32_C(0xB156FE7A), UINT32_C(0x7213C6A4), ++ UINT32_C(0xBB7E0196), UINT32_C(0x1701ED5B), UINT32_C(0x36002A33) } }, ++ { { UINT32_C(0xDDC9EF4D), UINT32_C(0x20B1632A), UINT32_C(0x272D082B), ++ UINT32_C(0x2A35FF4C), UINT32_C(0xF6CC9BD3), UINT32_C(0x30D39923), ++ UINT32_C(0xE65C9D08), UINT32_C(0x6D879BC2), UINT32_C(0x6FA9983C), ++ UINT32_C(0xCE8274E1), UINT32_C(0x0EB7424F), UINT32_C(0x652371E8) }, ++ { UINT32_C(0xC5C35282), UINT32_C(0x32B77503), UINT32_C(0xC885A931), ++ UINT32_C(0xD7306333), UINT32_C(0x72955AA8), UINT32_C(0x8A16D719), ++ UINT32_C(0x7D51F882), UINT32_C(0x5548F163), UINT32_C(0xBABA59EF), ++ UINT32_C(0xB311DC66), UINT32_C(0x0DB8F627), UINT32_C(0x773D5448) } }, ++ { { UINT32_C(0x7A62EB3B), UINT32_C(0x59B1B134), UINT32_C(0xCCEEFB34), ++ UINT32_C(0x0F8CE157), UINT32_C(0xA798CB2B), UINT32_C(0x3FE842A8), ++ UINT32_C(0x0BF4161D), UINT32_C(0xD01BC626), UINT32_C(0x4D016FDB), ++ UINT32_C(0x55EF6E55), UINT32_C(0xB242B201), UINT32_C(0xCB561503) }, ++ { UINT32_C(0xAF4199C1), UINT32_C(0x076EBC73), UINT32_C(0x697244F7), ++ UINT32_C(0x39DEDCBB), UINT32_C(0x040162BC), UINT32_C(0x9D184733), ++ UINT32_C(0x7F6B5FA6), UINT32_C(0x902992C1), UINT32_C(0xBB4952B5), ++ UINT32_C(0xAD1DE754), UINT32_C(0xA121F6C8), UINT32_C(0x7ACF1B93) } }, ++ { { UINT32_C(0x325C9B9A), UINT32_C(0x7A56867C), UINT32_C(0xF3DC3D6A), ++ UINT32_C(0x1A143999), UINT32_C(0x03F5BCB8), UINT32_C(0xCE109590), ++ UINT32_C(0xD6EEE5B7), UINT32_C(0x034E9035), UINT32_C(0x495DF1BC), ++ UINT32_C(0x2AFA81C8), UINT32_C(0x08924D02), UINT32_C(0x5EAB52DC) }, ++ { UINT32_C(0xAA181904), UINT32_C(0xEE6AA014), UINT32_C(0x310AD621), ++ UINT32_C(0xE62DEF09), UINT32_C(0xC7538A03), UINT32_C(0x6C9792FC), ++ UINT32_C(0x3E41D789), UINT32_C(0xA89D3E88), UINT32_C(0x9F94AE83), ++ UINT32_C(0xD60FA11C), UINT32_C(0xE0D6234A), UINT32_C(0x5E16A8C2) } }, ++ { { UINT32_C(0xA9242F3B), UINT32_C(0x87EC053D), UINT32_C(0xF0E03545), ++ UINT32_C(0x99544637), UINT32_C(0x6B7019E9), UINT32_C(0xEA0633FF), ++ UINT32_C(0x68DDDB5B), UINT32_C(0x8CB8AE07), UINT32_C(0x1A811AC7), ++ UINT32_C(0x892E7C84), UINT32_C(0x73664249), UINT32_C(0xC7EF19EB) }, ++ { UINT32_C(0xCD1489E3), UINT32_C(0xD1B5819A), UINT32_C(0xDE45D24A), ++ UINT32_C(0xF9C80FB0), UINT32_C(0x83BB7491), UINT32_C(0x045C21A6), ++ UINT32_C(0x73F7A47D), UINT32_C(0xA65325BE), UINT32_C(0x9C394F0C), ++ UINT32_C(0x08D09F0E), UINT32_C(0x268D4F08), UINT32_C(0xE7FB21C6) } }, ++ { { UINT32_C(0x6CA95C18), UINT32_C(0xC4CCAB95), UINT32_C(0xBC42E040), ++ UINT32_C(0x563FFD56), UINT32_C(0xE701C604), UINT32_C(0xFA3C64D8), ++ UINT32_C(0xB0ABAFEE), UINT32_C(0xC88D4426), UINT32_C(0x8542E4C3), ++ UINT32_C(0x1A353E5E), UINT32_C(0xED726186), UINT32_C(0x9A2D8B7C) }, ++ { UINT32_C(0x42D097FA), UINT32_C(0xD61CE190), UINT32_C(0x799A748B), ++ UINT32_C(0x6A63E280), UINT32_C(0x3225486B), UINT32_C(0x0F48D063), ++ UINT32_C(0x42A3C443), UINT32_C(0x848F8FE1), UINT32_C(0x8493CEF4), ++ UINT32_C(0x2CCDE250), UINT32_C(0x45E77E7C), UINT32_C(0x5450A508) } }, ++ { { UINT32_C(0x03112816), UINT32_C(0xD0F4E248), UINT32_C(0xCCBE9E16), ++ UINT32_C(0xFCAD9DDB), UINT32_C(0x5AE01EA0), UINT32_C(0x177999BF), ++ UINT32_C(0xCE832DCE), UINT32_C(0xD20C78B9), UINT32_C(0x50C8C646), ++ UINT32_C(0x3CC694FB), UINT32_C(0xC93D4887), UINT32_C(0x24D75968) }, ++ { UINT32_C(0x87BC08AF), UINT32_C(0x9F06366A), UINT32_C(0x7FD0DF2A), ++ UINT32_C(0x59FAB50E), UINT32_C(0x6C4CC234), UINT32_C(0x5FFCC7F7), ++ UINT32_C(0x65F52D86), UINT32_C(0x87198DD7), UINT32_C(0xA855DF04), ++ UINT32_C(0x5B9C94B0), UINT32_C(0x8A067AD7), UINT32_C(0xD8BA6C73) } }, ++ }, ++ { ++ { { UINT32_C(0x1C4C9D90), UINT32_C(0x9E9AF315), UINT32_C(0xD12E0A89), ++ UINT32_C(0x8665C5A9), UINT32_C(0x58286493), UINT32_C(0x204ABD92), ++ UINT32_C(0xB2E09205), UINT32_C(0x79959889), UINT32_C(0xFE56B101), ++ UINT32_C(0x0C727A3D), UINT32_C(0x8B657F26), UINT32_C(0xF366244C) }, ++ { UINT32_C(0xCCA65BE2), UINT32_C(0xDE35D954), UINT32_C(0xB0FD41CE), ++ UINT32_C(0x52EE1230), UINT32_C(0x36019FEE), UINT32_C(0xFA03261F), ++ UINT32_C(0x66511D8F), UINT32_C(0xAFDA42D9), UINT32_C(0x821148B9), ++ UINT32_C(0xF63211DD), UINT32_C(0x6F13A3E1), UINT32_C(0x7B56AF7E) } }, ++ { { UINT32_C(0x5913E184), UINT32_C(0x47FE4799), UINT32_C(0x82145900), ++ UINT32_C(0x5BBE584C), UINT32_C(0x9A867173), UINT32_C(0xB76CFA8B), ++ UINT32_C(0x514BF471), UINT32_C(0x9BC87BF0), UINT32_C(0x71DCF1FC), ++ UINT32_C(0x37392DCE), UINT32_C(0x3AD1EFA8), UINT32_C(0xEC3EFAE0) }, ++ { UINT32_C(0x14876451), UINT32_C(0xBBEA5A34), UINT32_C(0x6217090F), ++ UINT32_C(0x96E5F543), UINT32_C(0x9B1665A9), UINT32_C(0x5B3D4ECD), ++ UINT32_C(0xE329DF22), UINT32_C(0xE7B0DF26), UINT32_C(0x0BAA808D), ++ UINT32_C(0x18FB438E), UINT32_C(0xDD516FAF), UINT32_C(0x90757EBF) } }, ++ { { UINT32_C(0xD5A98D68), UINT32_C(0x1E6F9A95), UINT32_C(0x849DA828), ++ UINT32_C(0x759EA7DF), UINT32_C(0x6E8B4198), UINT32_C(0x365D5625), ++ UINT32_C(0x7A4A53F9), UINT32_C(0xE1B9C53B), UINT32_C(0xE32B9B16), ++ UINT32_C(0x55DC1D50), UINT32_C(0xBB6D5701), UINT32_C(0xA4657EBB) }, ++ { UINT32_C(0xEACC76E2), UINT32_C(0x4C270249), UINT32_C(0x162B1CC7), ++ UINT32_C(0xBE49EC75), UINT32_C(0x0689902B), UINT32_C(0x19A95B61), ++ UINT32_C(0xA4CFC5A8), UINT32_C(0xDD5706BF), UINT32_C(0x14E5B424), ++ UINT32_C(0xD33BDB73), UINT32_C(0xE69EBA87), UINT32_C(0x21311BD1) } }, ++ { { UINT32_C(0x72A21ACC), UINT32_C(0x75BA2F9B), UINT32_C(0xA28EDB4C), ++ UINT32_C(0x356688D4), UINT32_C(0x610D080F), UINT32_C(0x3C339E0B), ++ UINT32_C(0x33A99C2F), UINT32_C(0x614AC293), UINT32_C(0xAA580AFF), ++ UINT32_C(0xA5E23AF2), UINT32_C(0xE1FDBA3A), UINT32_C(0xA6BCB860) }, ++ { UINT32_C(0xB43F9425), UINT32_C(0xAA603365), UINT32_C(0xF7EE4635), ++ UINT32_C(0xAE8D7126), UINT32_C(0x56330A32), UINT32_C(0xA2B25244), ++ UINT32_C(0x9E025AA3), UINT32_C(0xC396B5BB), UINT32_C(0xF8A0D5CF), ++ UINT32_C(0xABBF77FA), UINT32_C(0xEA31C83B), UINT32_C(0xB322EE30) } }, ++ { { UINT32_C(0x7890E234), UINT32_C(0x04881384), UINT32_C(0x672E70C6), ++ UINT32_C(0x387F1159), UINT32_C(0x7B307F75), UINT32_C(0x1468A614), ++ UINT32_C(0xED85EC96), UINT32_C(0x56335B52), UINT32_C(0xD45BCAE9), ++ UINT32_C(0xDA1BB60F), UINT32_C(0xF9FAEADD), UINT32_C(0x4D94F3F0) }, ++ { UINT32_C(0xFC78D86B), UINT32_C(0x6C6A7183), UINT32_C(0x3018DEC6), ++ UINT32_C(0xA425B5C7), UINT32_C(0x2D877399), UINT32_C(0xB1549C33), ++ UINT32_C(0x92B2BC37), UINT32_C(0x6C41C50C), UINT32_C(0x83EE0DDB), ++ UINT32_C(0x3A9F380C), UINT32_C(0xC4599E73), UINT32_C(0xDED5FEB6) } }, ++ { { UINT32_C(0x0B7F8354), UINT32_C(0x14D34C21), UINT32_C(0x9177CE45), ++ UINT32_C(0x1475A1CD), UINT32_C(0x9B926E4B), UINT32_C(0x9F5F764A), ++ UINT32_C(0x05DD21FE), UINT32_C(0x77260D1E), UINT32_C(0xC4B937F7), ++ UINT32_C(0x3C882480), UINT32_C(0x722372F2), UINT32_C(0xC92DCD39) }, ++ { UINT32_C(0xEC6F657E), UINT32_C(0xF636A1BE), UINT32_C(0x1D30DD35), ++ UINT32_C(0xB0E6C312), UINT32_C(0xE4654EFE), UINT32_C(0xFE4B0528), ++ UINT32_C(0x21D230D2), UINT32_C(0x1C4A6820), UINT32_C(0x98FA45AB), ++ UINT32_C(0x615D2E48), UINT32_C(0x01FDBABF), UINT32_C(0x1F35D6D8) } }, ++ { { UINT32_C(0x3A7B10D1), UINT32_C(0xA636EEB8), UINT32_C(0xF4A29E73), ++ UINT32_C(0x4E1AE352), UINT32_C(0xE6BB1EC7), UINT32_C(0x01704F5F), ++ UINT32_C(0x0EF020AE), UINT32_C(0x75C04F72), UINT32_C(0x5A31E6A6), ++ UINT32_C(0x448D8CEE), UINT32_C(0x208F994B), UINT32_C(0xE40A9C29) }, ++ { UINT32_C(0xFD8F9D5D), UINT32_C(0x69E09A30), UINT32_C(0x449BAB7E), ++ UINT32_C(0xE6A5F7EB), UINT32_C(0x2AA1768B), UINT32_C(0xF25BC18A), ++ UINT32_C(0x3C841234), UINT32_C(0x9449E404), UINT32_C(0x016A7BEF), ++ UINT32_C(0x7A3BF43E), UINT32_C(0x2A150B60), UINT32_C(0xF25803E8) } }, ++ { { UINT32_C(0xB215F9E0), UINT32_C(0xE44A2A57), UINT32_C(0x19066F0A), ++ UINT32_C(0x38B34DCE), UINT32_C(0x40BB1BFB), UINT32_C(0x8BB91DAD), ++ UINT32_C(0xE67735FC), UINT32_C(0x64C9F775), UINT32_C(0x88D613CD), ++ UINT32_C(0xDE142417), UINT32_C(0x1901D88D), UINT32_C(0xC5014FF5) }, ++ { UINT32_C(0xF38116B0), UINT32_C(0xA250341D), UINT32_C(0x9D6CBCB2), ++ UINT32_C(0xF96B9DD4), UINT32_C(0x76B3FAC2), UINT32_C(0x15EC6C72), ++ UINT32_C(0x8124C1E9), UINT32_C(0x88F1952F), UINT32_C(0x975BE4F5), ++ UINT32_C(0x6B72F8EA), UINT32_C(0x061F7530), UINT32_C(0x23D288FF) } }, ++ { { UINT32_C(0xAFB96CE3), UINT32_C(0xEBFE3E5F), UINT32_C(0xB1979537), ++ UINT32_C(0x2275EDFB), UINT32_C(0xC97BA741), UINT32_C(0xC37AB9E8), ++ UINT32_C(0x63D7C626), UINT32_C(0x446E4B10), UINT32_C(0xD025EB02), ++ UINT32_C(0xB73E2DCE), UINT32_C(0x7669EEA7), UINT32_C(0x1F952B51) }, ++ { UINT32_C(0x6069A424), UINT32_C(0xABDD00F6), UINT32_C(0xDC298BFB), ++ UINT32_C(0x1C0F9D9B), UINT32_C(0xEB757B33), UINT32_C(0x831B1FD3), ++ UINT32_C(0x59D60B32), UINT32_C(0xD7DBE183), UINT32_C(0x9EF094B3), ++ UINT32_C(0x663D1F36), UINT32_C(0x67F7F11A), UINT32_C(0x1BD5732E) } }, ++ { { UINT32_C(0xC75D8892), UINT32_C(0x3C7FB3F5), UINT32_C(0xBA68DA69), ++ UINT32_C(0x2CFF9A0C), UINT32_C(0x60EC740B), UINT32_C(0x76455E8B), ++ UINT32_C(0x167B88F0), UINT32_C(0x4B8D67FF), UINT32_C(0x5A4186B1), ++ UINT32_C(0xEDEC0C02), UINT32_C(0xBEBF35AB), UINT32_C(0x127C462D) }, ++ { UINT32_C(0x049430FC), UINT32_C(0x9159C67E), UINT32_C(0xE7747320), ++ UINT32_C(0x86B21DD2), UINT32_C(0x0CF27B89), UINT32_C(0x0E0E0152), ++ UINT32_C(0xCD1316B6), UINT32_C(0x705F28F5), UINT32_C(0xBEAEA8A8), ++ UINT32_C(0x76751691), UINT32_C(0x360C5B69), UINT32_C(0x4C73E282) } }, ++ { { UINT32_C(0xFD7B3D74), UINT32_C(0x46BCC0D5), UINT32_C(0x0DC4F410), ++ UINT32_C(0x6F13C20E), UINT32_C(0x72F11CDF), UINT32_C(0x98A1AF7D), ++ UINT32_C(0x7928881C), UINT32_C(0x6099FD83), UINT32_C(0x371BB94B), ++ UINT32_C(0x66976356), UINT32_C(0x19B945AB), UINT32_C(0x673FBA72) }, ++ { UINT32_C(0xAED00700), UINT32_C(0xE4D8FA6E), UINT32_C(0x5C71A9F7), ++ UINT32_C(0xEA2313EC), UINT32_C(0xF99D4AEA), UINT32_C(0xF9ED8268), ++ UINT32_C(0x42AB59C7), UINT32_C(0xADD89164), UINT32_C(0x3F3A2D45), ++ UINT32_C(0xB37EB26F), UINT32_C(0xA924841E), UINT32_C(0x0B39BD7A) } }, ++ { { UINT32_C(0xE03CDBBB), UINT32_C(0xD811EB32), UINT32_C(0x7CC3610E), ++ UINT32_C(0x12055F1D), UINT32_C(0xA9046E3F), UINT32_C(0x6B23A1A0), ++ UINT32_C(0x9DD4A749), UINT32_C(0x4D712122), UINT32_C(0xB1BF0AC3), ++ UINT32_C(0xB0C2ACA1), UINT32_C(0xC1B0432F), UINT32_C(0x71EFF575) }, ++ { UINT32_C(0x2B44E285), UINT32_C(0x6CD81492), UINT32_C(0xD87E8D20), ++ UINT32_C(0x3088BD9C), UINT32_C(0xF567E8FA), UINT32_C(0xACE218E5), ++ UINT32_C(0xCF90CBBB), UINT32_C(0xB3FA0424), UINT32_C(0x770734D3), ++ UINT32_C(0xADBDA751), UINT32_C(0x5AD6569A), UINT32_C(0xBCD78BAD) } }, ++ { { UINT32_C(0x7F39641F), UINT32_C(0xCADB31FA), UINT32_C(0x825E5562), ++ UINT32_C(0x3EF3E295), UINT32_C(0xF4094C64), UINT32_C(0x4893C633), ++ UINT32_C(0x8ADDF432), UINT32_C(0x52F685F1), UINT32_C(0x7FDC9373), ++ UINT32_C(0x9FD887AB), UINT32_C(0xE8680E8B), UINT32_C(0x47A9ADA0) }, ++ { UINT32_C(0xF0CD44F6), UINT32_C(0x579313B7), UINT32_C(0xE188AE2E), ++ UINT32_C(0xAC4B8668), UINT32_C(0x8FB145BD), UINT32_C(0x648F4369), ++ UINT32_C(0x74629E31), UINT32_C(0xE0460AB3), UINT32_C(0x8FF2B05F), ++ UINT32_C(0xC25F2875), UINT32_C(0x2D31EAEA), UINT32_C(0x4720C2B6) } }, ++ { { UINT32_C(0x13D48F80), UINT32_C(0x4603CDF4), UINT32_C(0xA49725DA), ++ UINT32_C(0x9ADB50E2), UINT32_C(0x65DF63F0), UINT32_C(0x8CD33050), ++ UINT32_C(0xCD643003), UINT32_C(0x58D8B3BB), UINT32_C(0xB739826B), ++ UINT32_C(0x170A4F4A), UINT32_C(0x1EAD0E17), UINT32_C(0x857772B5) }, ++ { UINT32_C(0xE65320F1), UINT32_C(0x01B78152), UINT32_C(0xB7503FC0), ++ UINT32_C(0xA6B4D845), UINT32_C(0x3DD50798), UINT32_C(0x0F5089B9), ++ UINT32_C(0x5690B6BE), UINT32_C(0x488F200F), UINT32_C(0x9E096F36), ++ UINT32_C(0x220B4ADF), UINT32_C(0x8CE5BC7C), UINT32_C(0x474D7C9F) } }, ++ { { UINT32_C(0xC745F8C9), UINT32_C(0xFED8C058), UINT32_C(0x291262D1), ++ UINT32_C(0xB683179E), UINT32_C(0xD15EE88C), UINT32_C(0x26ABD367), ++ UINT32_C(0xF60A6249), UINT32_C(0x29E8EED3), UINT32_C(0x1E02D6E1), ++ UINT32_C(0xED6008BB), UINT32_C(0xA6B12B8D), UINT32_C(0xD82ECF4C) }, ++ { UINT32_C(0xAAE4FA22), UINT32_C(0x9929D021), UINT32_C(0x336A1AB3), ++ UINT32_C(0xBE4DEF14), UINT32_C(0x8C80A312), UINT32_C(0x529B7E09), ++ UINT32_C(0xEE0EB0CE), UINT32_C(0xB059188D), UINT32_C(0x16DEAB7F), ++ UINT32_C(0x1E42979A), UINT32_C(0x84EE9477), UINT32_C(0x24110349) } }, ++ { { UINT32_C(0x2BE579CC), UINT32_C(0xD6524685), UINT32_C(0xC456FDED), ++ UINT32_C(0x849316F1), UINT32_C(0x2D1B67DA), UINT32_C(0xC51B7DA4), ++ UINT32_C(0x41BC6D6A), UINT32_C(0xC25B539E), UINT32_C(0xA9BF8BED), ++ UINT32_C(0xE3B7CCA3), UINT32_C(0x045C15E4), UINT32_C(0x813EF18C) }, ++ { UINT32_C(0x697982C4), UINT32_C(0x5F3789A1), UINT32_C(0x8C435566), ++ UINT32_C(0x4C125369), UINT32_C(0xDC0A92C6), UINT32_C(0x00A7AE6E), ++ UINT32_C(0x2F64A053), UINT32_C(0x1ABC929B), UINT32_C(0x38666B44), ++ UINT32_C(0xF4925C4C), UINT32_C(0x0F3DE7F6), UINT32_C(0xA81044B0) } }, ++ }, ++ { ++ { { UINT32_C(0xC2EC3731), UINT32_C(0xBCC88422), UINT32_C(0x10DC4EC2), ++ UINT32_C(0x78A3E4D4), UINT32_C(0x2571D6B1), UINT32_C(0x745DA1EF), ++ UINT32_C(0x739A956E), UINT32_C(0xF01C2921), UINT32_C(0xE4BFFC16), ++ UINT32_C(0xEFFD8065), UINT32_C(0xF36FE72C), UINT32_C(0x6EFE62A1) }, ++ { UINT32_C(0x0F4629A4), UINT32_C(0xF49E90D2), UINT32_C(0x8CE646F4), ++ UINT32_C(0xADD1DCC7), UINT32_C(0xB7240D91), UINT32_C(0xCB78B583), ++ UINT32_C(0x03F8387F), UINT32_C(0x2E1A7C3C), UINT32_C(0x3200F2D9), ++ UINT32_C(0x16566C22), UINT32_C(0xAAF80A84), UINT32_C(0x2361B14B) } }, ++ { { UINT32_C(0xB5733309), UINT32_C(0xDB1CFFD2), UINT32_C(0x0F9DD939), ++ UINT32_C(0x24BC250B), UINT32_C(0xA3C1DB85), UINT32_C(0xA4181E5A), ++ UINT32_C(0xAC55D391), UINT32_C(0xE5183E51), UINT32_C(0xEFD270D0), ++ UINT32_C(0x2793D5EF), UINT32_C(0xC0631546), UINT32_C(0x7D56F63D) }, ++ { UINT32_C(0x0C1EE59D), UINT32_C(0xECB40A59), UINT32_C(0xBB5BFA2C), ++ UINT32_C(0xE613A9E4), UINT32_C(0x6C5830F9), UINT32_C(0xA89B14AB), ++ UINT32_C(0xA03F201E), UINT32_C(0x4DC477DC), UINT32_C(0xC88C54F6), ++ UINT32_C(0x5604F5DA), UINT32_C(0x2ACFC66E), UINT32_C(0xD49264DC) } }, ++ { { UINT32_C(0x1C4DFA95), UINT32_C(0x283DD7F0), UINT32_C(0x62C0B160), ++ UINT32_C(0xB898CC2C), UINT32_C(0x870282AA), UINT32_C(0xBA08C095), ++ UINT32_C(0xF4E36324), UINT32_C(0xB02B00D8), UINT32_C(0x604CECF2), ++ UINT32_C(0x53AADDC0), UINT32_C(0x84DDD24E), UINT32_C(0xF1F927D3) }, ++ { UINT32_C(0xE2ABC9E1), UINT32_C(0x34BC00A0), UINT32_C(0x60289F88), ++ UINT32_C(0x2DA1227D), UINT32_C(0xCEF68F74), UINT32_C(0x5228EAAA), ++ UINT32_C(0x3C029351), UINT32_C(0x40A790D2), UINT32_C(0x8442E3B7), ++ UINT32_C(0xE0E9AF5C), UINT32_C(0xA9F141E0), UINT32_C(0xA3214142) } }, ++ { { UINT32_C(0xF9A58E3D), UINT32_C(0x72F4949E), UINT32_C(0xA48660A6), ++ UINT32_C(0x738C700B), UINT32_C(0x092A5805), UINT32_C(0x71B04726), ++ UINT32_C(0x0F5CDB72), UINT32_C(0xAD5C3C11), UINT32_C(0x554BFC49), ++ UINT32_C(0xD4951F9E), UINT32_C(0x6131EBE7), UINT32_C(0xEE594EE5) }, ++ { UINT32_C(0x3C1AF0A9), UINT32_C(0x37DA59F3), UINT32_C(0xCB040A63), ++ UINT32_C(0xD7AFC73B), UINT32_C(0x4D89FA65), UINT32_C(0xD020962A), ++ UINT32_C(0x71D824F5), UINT32_C(0x2610C61E), UINT32_C(0x3C050E31), ++ UINT32_C(0x9C917DA7), UINT32_C(0xE6E7EBFB), UINT32_C(0x3840F92F) } }, ++ { { UINT32_C(0x8D8B8CED), UINT32_C(0x50FBD7FE), UINT32_C(0x47D240AE), ++ UINT32_C(0xC7282F75), UINT32_C(0x1930FF73), UINT32_C(0x79646A47), ++ UINT32_C(0x2F7F5A77), UINT32_C(0x2E0BAC4E), UINT32_C(0x26127E0B), ++ UINT32_C(0x0EE44FA5), UINT32_C(0x82BC2AA7), UINT32_C(0x678881B7) }, ++ { UINT32_C(0x67F5F497), UINT32_C(0xB9E5D384), UINT32_C(0xA9B7106B), ++ UINT32_C(0x8F94A7D4), UINT32_C(0x9D329F68), UINT32_C(0xBF7E0B07), ++ UINT32_C(0x45D192FB), UINT32_C(0x169B93EA), UINT32_C(0x20DBE8C0), ++ UINT32_C(0xCCAA9467), UINT32_C(0x938F9574), UINT32_C(0xD4513A50) } }, ++ { { UINT32_C(0x054CB874), UINT32_C(0x841C96B4), UINT32_C(0xA3C26834), ++ UINT32_C(0xD75B1AF1), UINT32_C(0xEE6575F0), UINT32_C(0x7237169D), ++ UINT32_C(0x0322AADC), UINT32_C(0xD71FC7E5), UINT32_C(0x949E3A8E), ++ UINT32_C(0xD7A23F1E), UINT32_C(0xDD31D8C7), UINT32_C(0x77E2D102) }, ++ { UINT32_C(0xD10F5A1F), UINT32_C(0x5AD69D09), UINT32_C(0xB99D9A0B), ++ UINT32_C(0x526C9CB4), UINT32_C(0x972B237D), UINT32_C(0x521BB10B), ++ UINT32_C(0xA326F342), UINT32_C(0x1E4CD42F), UINT32_C(0xF0F126CA), ++ UINT32_C(0x5BB6DB27), UINT32_C(0xA4A515AD), UINT32_C(0x587AF22C) } }, ++ { { UINT32_C(0xB12E542F), UINT32_C(0x1123A531), UINT32_C(0xB9EB2811), ++ UINT32_C(0x1D01A64D), UINT32_C(0xF2D70F87), UINT32_C(0xA4A3515B), ++ UINT32_C(0xB4BD0270), UINT32_C(0xFA205234), UINT32_C(0x5EDA26B9), ++ UINT32_C(0x74B81830), UINT32_C(0x56578E75), UINT32_C(0x9305D6E6) }, ++ { UINT32_C(0x9F11BE19), UINT32_C(0xF38E69DE), UINT32_C(0x44DBE89F), ++ UINT32_C(0x1E2A5C23), UINT32_C(0xFD286654), UINT32_C(0x1077E7BC), ++ UINT32_C(0x0FCA4741), UINT32_C(0xD3669894), UINT32_C(0x278F8497), ++ UINT32_C(0x893BF904), UINT32_C(0xEB3E14F4), UINT32_C(0xD6AC5F83) } }, ++ { { UINT32_C(0x488F5F74), UINT32_C(0x327B9DAB), UINT32_C(0xCAB7364F), ++ UINT32_C(0x2B44F4B8), UINT32_C(0x19B6C6BD), UINT32_C(0xB4A6D22D), ++ UINT32_C(0xFC77CD3E), UINT32_C(0xA087E613), UINT32_C(0xB0B49BC7), ++ UINT32_C(0x4558E327), UINT32_C(0xCD835D35), UINT32_C(0x188805BE) }, ++ { UINT32_C(0xC1DC1007), UINT32_C(0x592F293C), UINT32_C(0x6AF02B44), ++ UINT32_C(0xFAEE660F), UINT32_C(0x904035F2), UINT32_C(0x5BFBB3BF), ++ UINT32_C(0x79C07E70), UINT32_C(0xD7C9AE60), UINT32_C(0x234896C2), ++ UINT32_C(0xC5287DD4), UINT32_C(0xCB0E4121), UINT32_C(0xC4CE4523) } }, ++ { { UINT32_C(0x58344831), UINT32_C(0x3626B406), UINT32_C(0x8E55C984), ++ UINT32_C(0xABCCE356), UINT32_C(0x77241602), UINT32_C(0x495CC81C), ++ UINT32_C(0x6D70DF8F), UINT32_C(0x4FB79676), UINT32_C(0x5B071DCA), ++ UINT32_C(0x6354B37C), UINT32_C(0x8C0FC0AD), UINT32_C(0x2CAD80A4) }, ++ { UINT32_C(0xF68739B4), UINT32_C(0x18AADD51), UINT32_C(0x47F09C6C), ++ UINT32_C(0x1BFBB177), UINT32_C(0xA8FD51C4), UINT32_C(0x9355EA19), ++ UINT32_C(0xEE58DB7B), UINT32_C(0x3D512A84), UINT32_C(0xE9237640), ++ UINT32_C(0x70842AFD), UINT32_C(0xACAF858D), UINT32_C(0x36F515CA) } }, ++ { { UINT32_C(0x7E768B23), UINT32_C(0x3DDEC7C4), UINT32_C(0x036D43ED), ++ UINT32_C(0x97E13C53), UINT32_C(0x3A39AB5F), UINT32_C(0x871E5925), ++ UINT32_C(0x07E68E2B), UINT32_C(0x9AF292DE), UINT32_C(0x4A40112E), ++ UINT32_C(0x41158349), UINT32_C(0x3D4D97E6), UINT32_C(0xCDBB46AF) }, ++ { UINT32_C(0x3C0EBE40), UINT32_C(0x2F891293), UINT32_C(0x3EBAD1E5), ++ UINT32_C(0x696C7EEE), UINT32_C(0x33B50D99), UINT32_C(0x8A5F3B69), ++ UINT32_C(0x7ED47DDE), UINT32_C(0xB7BC4840), UINT32_C(0x1E6706D8), ++ UINT32_C(0x3A6F8E6C), UINT32_C(0x3D84BB8F), UINT32_C(0x6A147943) } }, ++ { { UINT32_C(0x603AE8D1), UINT32_C(0xEC3A9C78), UINT32_C(0x228C29E5), ++ UINT32_C(0xBFE07E37), UINT32_C(0x396DBC2B), UINT32_C(0xB0385C5B), ++ UINT32_C(0xDF85F41F), UINT32_C(0x7C14FE83), UINT32_C(0xADFD463E), ++ UINT32_C(0xE2E64676), UINT32_C(0x8BF9F23D), UINT32_C(0x5BEF10AA) }, ++ { UINT32_C(0xF6BAB6DA), UINT32_C(0xFA83EA0D), UINT32_C(0x966BF7E3), ++ UINT32_C(0xCD0C8BA5), UINT32_C(0x98501C2E), UINT32_C(0xD62216B4), ++ UINT32_C(0xC3E69F2D), UINT32_C(0xB7F298A4), UINT32_C(0x9C8740F4), ++ UINT32_C(0x42CEF13B), UINT32_C(0x0DD64307), UINT32_C(0xBB317E52) } }, ++ { { UINT32_C(0x3FFEE775), UINT32_C(0x22B6245C), UINT32_C(0xB37CE7AA), ++ UINT32_C(0x5C3F60BE), UINT32_C(0xE1FEC0DF), UINT32_C(0xDE195D40), ++ UINT32_C(0xA0A82074), UINT32_C(0x3BFAFBC5), UINT32_C(0xC72CA86A), ++ UINT32_C(0xC36EC86A), UINT32_C(0x13FD43EA), UINT32_C(0x56062851) }, ++ { UINT32_C(0x8E0B03A4), UINT32_C(0x8686BE80), UINT32_C(0xD540D440), ++ UINT32_C(0xC3BD1F93), UINT32_C(0xBF96CEC5), UINT32_C(0x13E4EBC0), ++ UINT32_C(0x9190C844), UINT32_C(0xE8E23984), UINT32_C(0x00844802), ++ UINT32_C(0x183593A6), UINT32_C(0x4D206878), UINT32_C(0x46716879) } }, ++ { { UINT32_C(0xB6F63D19), UINT32_C(0x358F394D), UINT32_C(0x6B052194), ++ UINT32_C(0xA75D4849), UINT32_C(0x5C8D7975), UINT32_C(0x58403590), ++ UINT32_C(0x6CBFBD77), UINT32_C(0x86DC9B6B), UINT32_C(0x647A51E5), ++ UINT32_C(0x2DB04D77), UINT32_C(0xF8950D88), UINT32_C(0x5E9A5B02) }, ++ { UINT32_C(0x017168B0), UINT32_C(0xCE69A7E5), UINT32_C(0xC4843AD3), ++ UINT32_C(0x94630FAC), UINT32_C(0x1EFC44FF), UINT32_C(0xB3B9D736), ++ UINT32_C(0xB14D7F93), UINT32_C(0xE729E9B6), UINT32_C(0xE0ED0ABC), ++ UINT32_C(0xA071FC60), UINT32_C(0x8C8D9B83), UINT32_C(0xFC1A9971) } }, ++ { { UINT32_C(0xD138E975), UINT32_C(0x49686031), UINT32_C(0x5A8EF0D1), ++ UINT32_C(0x64864038), UINT32_C(0xE7F7DE49), UINT32_C(0x32679713), ++ UINT32_C(0x29D1CD1D), UINT32_C(0x59132349), UINT32_C(0x20BE9ED2), ++ UINT32_C(0x849AA23A), UINT32_C(0x284B3F33), UINT32_C(0x15D303E1) }, ++ { UINT32_C(0xB63F9FE9), UINT32_C(0x37309475), UINT32_C(0x45B7256A), ++ UINT32_C(0x327BAC8B), UINT32_C(0xD17FC5D3), UINT32_C(0x291CD227), ++ UINT32_C(0xA973EDF1), UINT32_C(0x8291D8CD), UINT32_C(0x437ABA09), ++ UINT32_C(0xF3843562), UINT32_C(0x271D0785), UINT32_C(0x33FFB704) } }, ++ { { UINT32_C(0x47E11E5E), UINT32_C(0x5248D6E4), UINT32_C(0x269C7ED3), ++ UINT32_C(0x0F66FC3C), UINT32_C(0x903E346E), UINT32_C(0x18C0D2B9), ++ UINT32_C(0x4BEAE1B8), UINT32_C(0xD81D9D97), UINT32_C(0xFC30FDF3), ++ UINT32_C(0x610326B0), UINT32_C(0x19A7DFCD), UINT32_C(0x2B136870) }, ++ { UINT32_C(0xB9527676), UINT32_C(0xEC75F70A), UINT32_C(0x29A3D897), ++ UINT32_C(0x90829F51), UINT32_C(0x97980302), UINT32_C(0x92FE1809), ++ UINT32_C(0x68474991), UINT32_C(0xA3F2498E), UINT32_C(0x0F22BBAD), ++ UINT32_C(0x6A66307B), UINT32_C(0x20378557), UINT32_C(0x32014B91) } }, ++ { { UINT32_C(0x3CD98610), UINT32_C(0x72CD7D55), UINT32_C(0x74504ADF), ++ UINT32_C(0xC3D560B0), UINT32_C(0xCEBB5D5D), UINT32_C(0x23F0A982), ++ UINT32_C(0xB839DDB8), UINT32_C(0x1431C15B), UINT32_C(0xCEB72207), ++ UINT32_C(0x7E207CD8), UINT32_C(0xE7EFB28D), UINT32_C(0x28E0A848) }, ++ { UINT32_C(0x1BD96F6E), UINT32_C(0xD22561FE), UINT32_C(0x62A8236B), ++ UINT32_C(0x04812C18), UINT32_C(0x975491FA), UINT32_C(0xA0BF2334), ++ UINT32_C(0x435DF87F), UINT32_C(0x294F42A6), UINT32_C(0xA5D6F4F6), ++ UINT32_C(0x2772B783), UINT32_C(0x2724F853), UINT32_C(0x348F92ED) } }, ++ }, ++ { ++ { { UINT32_C(0x1A42E5E7), UINT32_C(0xC20FB911), UINT32_C(0x81D12863), ++ UINT32_C(0x075A678B), UINT32_C(0x5CC0AA89), UINT32_C(0x12BCBC6A), ++ UINT32_C(0x4FB9F01E), UINT32_C(0x5279C6AB), UINT32_C(0x11AE1B89), ++ UINT32_C(0xBC8E1789), UINT32_C(0xC290003C), UINT32_C(0xAE74A706) }, ++ { UINT32_C(0x79DF3F45), UINT32_C(0x9949D6EC), UINT32_C(0x96C8D37F), ++ UINT32_C(0xBA18E262), UINT32_C(0xDD2275BF), UINT32_C(0x68DE6EE2), ++ UINT32_C(0xC419F1D5), UINT32_C(0xA9E4FFF8), UINT32_C(0xA52B5A40), ++ UINT32_C(0xBC759CA4), UINT32_C(0x63B0996D), UINT32_C(0xFF18CBD8) } }, ++ { { UINT32_C(0xD7DD47E5), UINT32_C(0x73C57FDE), UINT32_C(0xD49A7F5D), ++ UINT32_C(0xB0FE5479), UINT32_C(0xCFB9821E), UINT32_C(0xD25C71F1), ++ UINT32_C(0xCF6A1D68), UINT32_C(0x9427E209), UINT32_C(0xACD24E64), ++ UINT32_C(0xBF3C3916), UINT32_C(0xBDA7B8B5), UINT32_C(0x7E9F5583) }, ++ { UINT32_C(0xCF971E11), UINT32_C(0xE7C5F7C8), UINT32_C(0x3C7F035E), ++ UINT32_C(0xEC16D5D7), UINT32_C(0xE66B277C), UINT32_C(0x818DC472), ++ UINT32_C(0xB2816F1E), UINT32_C(0x4413FD47), UINT32_C(0x48383C6D), ++ UINT32_C(0x40F262AF), UINT32_C(0x4F190537), UINT32_C(0xFB057584) } }, ++ { { UINT32_C(0x08962F6B), UINT32_C(0x487EDC07), UINT32_C(0x190A7E55), ++ UINT32_C(0x6002F1E7), UINT32_C(0x10FDBA0C), UINT32_C(0x7FC62BEA), ++ UINT32_C(0x2C3DBF33), UINT32_C(0xC836BBC5), UINT32_C(0x4F7D2A46), ++ UINT32_C(0x4FDFB5C3), UINT32_C(0xDCA0DF71), UINT32_C(0x824654DE) }, ++ { UINT32_C(0x0C23902B), UINT32_C(0x30A07676), UINT32_C(0x77FBBF37), ++ UINT32_C(0x7F1EBB93), UINT32_C(0xFACC13DB), UINT32_C(0xD307D49D), ++ UINT32_C(0xAE1A261A), UINT32_C(0x148D673A), UINT32_C(0x52D98650), ++ UINT32_C(0xE008F95B), UINT32_C(0x9F558FDE), UINT32_C(0xC7614440) } }, ++ { { UINT32_C(0x9CB16650), UINT32_C(0x17CD6AF6), UINT32_C(0x69F4EEBE), ++ UINT32_C(0x86CC27C1), UINT32_C(0x78822432), UINT32_C(0x7E495B1D), ++ UINT32_C(0x1B974525), UINT32_C(0xFED338E3), UINT32_C(0x86F3CE21), ++ UINT32_C(0x527743D3), UINT32_C(0xB515C896), UINT32_C(0x87948AD3) }, ++ { UINT32_C(0xB17F2FB8), UINT32_C(0x9FDE7039), UINT32_C(0xD9B89D96), ++ UINT32_C(0xA2FA9A5F), UINT32_C(0x36FF74DC), UINT32_C(0x5D46600B), ++ UINT32_C(0x8302C3C9), UINT32_C(0x8EA74B04), UINT32_C(0xF744B5EB), ++ UINT32_C(0xD560F570), UINT32_C(0xFE762402), UINT32_C(0xC921023B) } }, ++ { { UINT32_C(0xFFF4C8ED), UINT32_C(0xA35AB657), UINT32_C(0x8A5FABD7), ++ UINT32_C(0x017C6124), UINT32_C(0x09ACDA28), UINT32_C(0x56463025), ++ UINT32_C(0x14CF238A), UINT32_C(0x6038D361), UINT32_C(0xAF1B9F07), ++ UINT32_C(0x1428B1B6), UINT32_C(0x7482E95C), UINT32_C(0x5827FF44) }, ++ { UINT32_C(0x780FF362), UINT32_C(0xCB997E18), UINT32_C(0xE0BCAC1E), ++ UINT32_C(0x2B89D702), UINT32_C(0xA837DDC8), UINT32_C(0xC632A0B5), ++ UINT32_C(0x59762647), UINT32_C(0xF3EFCF1F), UINT32_C(0x38B0D60A), ++ UINT32_C(0xE9BA309A), UINT32_C(0x20B5FB37), UINT32_C(0x05DEABDD) } }, ++ { { UINT32_C(0xCB8AF047), UINT32_C(0xD44E5DBA), UINT32_C(0x943CFE82), ++ UINT32_C(0x15400CB4), UINT32_C(0x9DF88B67), UINT32_C(0xDBD69575), ++ UINT32_C(0xB2405A7D), UINT32_C(0x8299DB2B), UINT32_C(0x0B1D80CD), ++ UINT32_C(0x46E3BF77), UINT32_C(0xE82BA3D9), UINT32_C(0xC50CF66C) }, ++ { UINT32_C(0xF2F747A9), UINT32_C(0xB2910A07), UINT32_C(0x5ADC89C1), ++ UINT32_C(0xF6B669DB), UINT32_C(0x9052B081), UINT32_C(0x3B5EF1A0), ++ UINT32_C(0xB594ACE2), UINT32_C(0x0F5D5ED3), UINT32_C(0xD5F01320), ++ UINT32_C(0xDA30B8D5), UINT32_C(0xAAFCD58F), UINT32_C(0x0D688C5E) } }, ++ { { UINT32_C(0x2A161074), UINT32_C(0x5EEE3A31), UINT32_C(0xEFE2BE37), ++ UINT32_C(0x6BAAAE56), UINT32_C(0xE3D78698), UINT32_C(0xF9787F61), ++ UINT32_C(0x50630A30), UINT32_C(0xC6836B26), UINT32_C(0x1445DEF1), ++ UINT32_C(0x7445B85D), UINT32_C(0xD568A6A5), UINT32_C(0xD72016A2) }, ++ { UINT32_C(0xE355614F), UINT32_C(0x9DD6F533), UINT32_C(0x91E04588), ++ UINT32_C(0x637E7E5F), UINT32_C(0xB9FB1391), UINT32_C(0x42E142F3), ++ UINT32_C(0x41AFE5DA), UINT32_C(0x0D07C05C), UINT32_C(0x1394EDF1), ++ UINT32_C(0xD7CD25C8), UINT32_C(0xB99288EE), UINT32_C(0xEBE6A0FC) } }, ++ { { UINT32_C(0xBABBAD86), UINT32_C(0xB8E63B7B), UINT32_C(0x90D66766), ++ UINT32_C(0x63226A9F), UINT32_C(0x5CF26666), UINT32_C(0x26381836), ++ UINT32_C(0x4CADD0BF), UINT32_C(0xCCBD142D), UINT32_C(0x9AC29470), ++ UINT32_C(0xA070965E), UINT32_C(0x25FF23ED), UINT32_C(0x6BDCA260) }, ++ { UINT32_C(0x87DCA7B3), UINT32_C(0xD4E00FD4), UINT32_C(0x9E0E8734), ++ UINT32_C(0xA5097833), UINT32_C(0x048173A4), UINT32_C(0xF73F162E), ++ UINT32_C(0x9C3C2FA2), UINT32_C(0xD23F9196), UINT32_C(0xE4AC397A), ++ UINT32_C(0x9AB98B45), UINT32_C(0x543F2D4B), UINT32_C(0x2BAA0300) } }, ++ { { UINT32_C(0xC658C445), UINT32_C(0xBBBE15E7), UINT32_C(0xC28941D1), ++ UINT32_C(0xB8CBCB20), UINT32_C(0x027D6540), UINT32_C(0x65549BE2), ++ UINT32_C(0x1E8EF4F4), UINT32_C(0xEBBCA802), UINT32_C(0xD2ACA397), ++ UINT32_C(0x18214B4B), UINT32_C(0xE31784A3), UINT32_C(0xCBEC7DE2) }, ++ { UINT32_C(0x0116FDF3), UINT32_C(0x96F0533F), UINT32_C(0x5C8F5EE1), ++ UINT32_C(0x68911C90), UINT32_C(0xD568603A), UINT32_C(0x7DE9A3AE), ++ UINT32_C(0x6A3AD7B7), UINT32_C(0x3F56C52C), UINT32_C(0x670B4D0E), ++ UINT32_C(0x5BE9AFCA), UINT32_C(0x375DFE2F), UINT32_C(0x628BFEEE) } }, ++ { { UINT32_C(0xDD4ADDB3), UINT32_C(0x97DAE81B), UINT32_C(0x8704761B), ++ UINT32_C(0x12D2CF4E), UINT32_C(0x3247788D), UINT32_C(0x5E820B40), ++ UINT32_C(0x0051CA80), UINT32_C(0x82234B62), UINT32_C(0x6CB5EA74), ++ UINT32_C(0x0C62704D), UINT32_C(0x23941593), UINT32_C(0xDE560420) }, ++ { UINT32_C(0xF1B04145), UINT32_C(0xB3912A3C), UINT32_C(0xAF93688D), ++ UINT32_C(0xE3967CD7), UINT32_C(0x58DABB4B), UINT32_C(0x2E2DCD2F), ++ UINT32_C(0x0E303911), UINT32_C(0x6564836F), UINT32_C(0xECE07C5C), ++ UINT32_C(0x1F10F19B), UINT32_C(0xD8919126), UINT32_C(0xB47F07EE) } }, ++ { { UINT32_C(0xE9A2EEC9), UINT32_C(0xE3545085), UINT32_C(0x2C8E51FE), ++ UINT32_C(0x81866A97), UINT32_C(0x50027243), UINT32_C(0xD2BA7DB5), ++ UINT32_C(0x4AE87DE4), UINT32_C(0x29DAEAB5), UINT32_C(0x684F9497), ++ UINT32_C(0x5EF3D4B8), UINT32_C(0x9D5D6873), UINT32_C(0xE2DACE3B) }, ++ { UINT32_C(0xFFD29C9C), UINT32_C(0xF012C951), UINT32_C(0xADBADA14), ++ UINT32_C(0x48289445), UINT32_C(0x89558C49), UINT32_C(0x8751F50D), ++ UINT32_C(0x99E35BEE), UINT32_C(0x75511A4F), UINT32_C(0x7D59AA5F), ++ UINT32_C(0xEF802D6E), UINT32_C(0xA2A795E2), UINT32_C(0x14FCAD65) } }, ++ { { UINT32_C(0x08CB8F2C), UINT32_C(0xC8EB00E8), UINT32_C(0x2B45BD86), ++ UINT32_C(0x68607532), UINT32_C(0x59969713), UINT32_C(0x7A29B459), ++ UINT32_C(0xD684201B), UINT32_C(0x5FA15B9B), UINT32_C(0xB9E538EE), ++ UINT32_C(0x1A853190), UINT32_C(0xD573D043), UINT32_C(0x4150605C) }, ++ { UINT32_C(0xEB9FBB68), UINT32_C(0xEF011D3B), UINT32_C(0x66AE32B6), ++ UINT32_C(0x67279982), UINT32_C(0x445DE5EC), UINT32_C(0x861B86EA), ++ UINT32_C(0xA34A50E1), UINT32_C(0x62837D18), UINT32_C(0xBF5F0663), ++ UINT32_C(0x228C006A), UINT32_C(0x396DB36A), UINT32_C(0xE007FDE7) } }, ++ { { UINT32_C(0x5A916A55), UINT32_C(0xDEE4F881), UINT32_C(0xF39C82CB), ++ UINT32_C(0x20DC0370), UINT32_C(0x40F09821), UINT32_C(0xD9A71615), ++ UINT32_C(0xF7273492), UINT32_C(0xD50AD8BF), UINT32_C(0x32E7C4BF), ++ UINT32_C(0xA06F7D12), UINT32_C(0x4C5CEA36), UINT32_C(0xFA0F6154) }, ++ { UINT32_C(0x5FC49CFE), UINT32_C(0xF4FD9BED), UINT32_C(0xC9291678), ++ UINT32_C(0xD8CB45D1), UINT32_C(0x7B92C9F2), UINT32_C(0x94DB86CC), ++ UINT32_C(0x73C81169), UINT32_C(0x09CA5F38), UINT32_C(0xAEED06F0), ++ UINT32_C(0x109F40B0), UINT32_C(0x14DCAA0A), UINT32_C(0x9F0360B2) } }, ++ { { UINT32_C(0xE12AD3E7), UINT32_C(0x4189B70D), UINT32_C(0x10B06607), ++ UINT32_C(0x5208ADB2), UINT32_C(0xEE8497FA), UINT32_C(0xEBD8E2A2), ++ UINT32_C(0xE04F2ECB), UINT32_C(0x61B1BD67), UINT32_C(0x4F3F5F99), ++ UINT32_C(0x0E2DDA72), UINT32_C(0xF747B16D), UINT32_C(0xD5D96740) }, ++ { UINT32_C(0xA6BF397F), UINT32_C(0x308A48F6), UINT32_C(0x23A93595), ++ UINT32_C(0x7021C3E5), UINT32_C(0x36470AA0), UINT32_C(0xF10B0229), ++ UINT32_C(0x4E03295B), UINT32_C(0x7761E8EC), UINT32_C(0x07339770), ++ UINT32_C(0x16EFEF58), UINT32_C(0x5DA5DAA2), UINT32_C(0x0D55D2DD) } }, ++ { { UINT32_C(0x8A22F87A), UINT32_C(0x915EA6A3), UINT32_C(0x2E5A088E), ++ UINT32_C(0x191151C1), UINT32_C(0x7F1D5CBE), UINT32_C(0x190252F1), ++ UINT32_C(0x3B0EC99B), UINT32_C(0xE43F59C3), UINT32_C(0xFF2A6135), ++ UINT32_C(0xBE8588D4), UINT32_C(0x2ECB4B9F), UINT32_C(0x103877CC) }, ++ { UINT32_C(0x023CF92B), UINT32_C(0x8F4147E5), UINT32_C(0x0CC2085B), ++ UINT32_C(0xC24384CC), UINT32_C(0xD082D311), UINT32_C(0x6A2DB4A2), ++ UINT32_C(0xED7BA9AE), UINT32_C(0x06283811), UINT32_C(0x2A8E1592), ++ UINT32_C(0xE9A3F532), UINT32_C(0x5A59E894), UINT32_C(0xAC20F0F4) } }, ++ { { UINT32_C(0x74AAB4B1), UINT32_C(0x788CAA52), UINT32_C(0x2FEAFC7E), ++ UINT32_C(0xEB84ABA1), UINT32_C(0xAC04FF77), UINT32_C(0x31DA71DA), ++ UINT32_C(0x24E4D0BF), UINT32_C(0x39D12EB9), UINT32_C(0x87A34EF8), ++ UINT32_C(0x4F2F292F), UINT32_C(0xA237A8ED), UINT32_C(0x9B324372) }, ++ { UINT32_C(0x2EE3A82D), UINT32_C(0xBB2D04B1), UINT32_C(0xD18D36B2), ++ UINT32_C(0xED4FF367), UINT32_C(0xA6EA0138), UINT32_C(0x99D231EE), ++ UINT32_C(0x4F92E04A), UINT32_C(0x7C2D4F06), UINT32_C(0xCA272FD0), ++ UINT32_C(0x78A82AB2), UINT32_C(0xAB8CDC32), UINT32_C(0x7EC41340) } }, ++ }, ++ { ++ { { UINT32_C(0xD2E15A8C), UINT32_C(0xD23658C8), UINT32_C(0x16BA28CA), ++ UINT32_C(0x23F93DF7), UINT32_C(0x082210F1), UINT32_C(0x6DAB10EC), ++ UINT32_C(0xBFC36490), UINT32_C(0xFB1ADD91), UINT32_C(0x9A4F2D14), ++ UINT32_C(0xEDA8B02F), UINT32_C(0x56560443), UINT32_C(0x9060318C) }, ++ { UINT32_C(0x64711AB2), UINT32_C(0x6C01479E), UINT32_C(0xE337EB85), ++ UINT32_C(0x41446FC7), UINT32_C(0x71888397), UINT32_C(0x4DCF3C1D), ++ UINT32_C(0x13C34FD2), UINT32_C(0x87A9C04E), UINT32_C(0x510C15AC), ++ UINT32_C(0xFE0E08EC), UINT32_C(0xC0F495D2), UINT32_C(0xFC0D0413) } }, ++ { { UINT32_C(0x156636C2), UINT32_C(0xEB05C516), UINT32_C(0x090E93FC), ++ UINT32_C(0x2F613ABA), UINT32_C(0x489576F5), UINT32_C(0xCFD573CD), ++ UINT32_C(0x535A8D57), UINT32_C(0xE6535380), UINT32_C(0x671436C4), ++ UINT32_C(0x13947314), UINT32_C(0x5F0A122D), UINT32_C(0x1172FB0C) }, ++ { UINT32_C(0xC12F58F6), UINT32_C(0xAECC7EC1), UINT32_C(0x8E41AFD2), ++ UINT32_C(0xFE42F957), UINT32_C(0x3D4221AA), UINT32_C(0xDF96F652), ++ UINT32_C(0x2851996B), UINT32_C(0xFEF5649F), UINT32_C(0xD5CFB67E), ++ UINT32_C(0x46FB9F26), UINT32_C(0xEF5C4052), UINT32_C(0xB047BFC7) } }, ++ { { UINT32_C(0xF4484374), UINT32_C(0x5CBDC442), UINT32_C(0xF92452EF), ++ UINT32_C(0x6B156957), UINT32_C(0xC118D02A), UINT32_C(0x58A26886), ++ UINT32_C(0x75AAF276), UINT32_C(0x87FF74E6), UINT32_C(0xF65F6EC1), ++ UINT32_C(0xB133BE95), UINT32_C(0x4B1B8D32), UINT32_C(0xA89B6284) }, ++ { UINT32_C(0x09C81004), UINT32_C(0xDD8A8EF3), UINT32_C(0x0CF21991), ++ UINT32_C(0x7F8225DB), UINT32_C(0x26623FAF), UINT32_C(0xD525A6DB), ++ UINT32_C(0xBAE15453), UINT32_C(0xF2368D40), UINT32_C(0x84F89FC9), ++ UINT32_C(0x55D6A84D), UINT32_C(0x86021A3E), UINT32_C(0xAF38358A) } }, ++ { { UINT32_C(0xFF52E280), UINT32_C(0xBD048BDC), UINT32_C(0x526A1795), ++ UINT32_C(0x8A51D0B2), UINT32_C(0xA985AC0F), UINT32_C(0x40AAA758), ++ UINT32_C(0xF2C7ACE9), UINT32_C(0x6039BCDC), UINT32_C(0x6AEC347D), ++ UINT32_C(0x712092CC), UINT32_C(0x6B5ACAB7), UINT32_C(0x7976D090) }, ++ { UINT32_C(0x6EED9617), UINT32_C(0x1EBCF80D), UINT32_C(0xB0F404A4), ++ UINT32_C(0xB3A63149), UINT32_C(0xD0B610EF), UINT32_C(0x3FDD3D1A), ++ UINT32_C(0x98C28AC7), UINT32_C(0xDD3F6F94), UINT32_C(0x3A59750F), ++ UINT32_C(0x650B7794), UINT32_C(0x2D3991AC), UINT32_C(0xEC59BAB1) } }, ++ { { UINT32_C(0x2E552766), UINT32_C(0x01F40E88), UINT32_C(0x66F5354F), ++ UINT32_C(0x1FE3D509), UINT32_C(0xB3A8EA7F), UINT32_C(0x0E46D006), ++ UINT32_C(0xF831CD6A), UINT32_C(0xF75AB629), UINT32_C(0x91465119), ++ UINT32_C(0xDAD808D7), UINT32_C(0x17EF9B10), UINT32_C(0x442405AF) }, ++ { UINT32_C(0x672BDFCB), UINT32_C(0xD5FE0A96), UINT32_C(0x355DBDEC), ++ UINT32_C(0xA9DFA422), UINT32_C(0x79B25636), UINT32_C(0xFDB79AA1), ++ UINT32_C(0xEECE8AEC), UINT32_C(0xE7F26FFD), UINT32_C(0x7EDD5AA2), ++ UINT32_C(0xB5925550), UINT32_C(0x8EB3A6C2), UINT32_C(0x2C8F6FF0) } }, ++ { { UINT32_C(0x757D6136), UINT32_C(0x88887756), UINT32_C(0x88B92E72), ++ UINT32_C(0xAD9AC183), UINT32_C(0x8785D3EB), UINT32_C(0x92CB2FC4), ++ UINT32_C(0x9319764B), UINT32_C(0xD1A542FE), UINT32_C(0x626A62F8), ++ UINT32_C(0xAF4CC78F), UINT32_C(0x26BFFAAE), UINT32_C(0x7F3F5FC9) }, ++ { UINT32_C(0x40AE2231), UINT32_C(0x0A203D43), UINT32_C(0x387898E8), ++ UINT32_C(0xA8BFD9E0), UINT32_C(0x474B7DDD), UINT32_C(0x1A0C379C), ++ UINT32_C(0x34FD49EA), UINT32_C(0x03855E0A), UINT32_C(0xB3EF4AE1), ++ UINT32_C(0x02B26223), UINT32_C(0xE399E0A3), UINT32_C(0x804BD8CF) } }, ++ { { UINT32_C(0xDE865713), UINT32_C(0x11A9F3D0), UINT32_C(0xBDE98821), ++ UINT32_C(0x81E36B6B), UINT32_C(0x6AA891D0), UINT32_C(0x324996C8), ++ UINT32_C(0x395682B5), UINT32_C(0x7B95BDC1), UINT32_C(0xC1600563), ++ UINT32_C(0x47BF2219), UINT32_C(0x643E38B4), UINT32_C(0x7A473F50) }, ++ { UINT32_C(0xF5738288), UINT32_C(0x0911F50A), UINT32_C(0x6F9C415B), ++ UINT32_C(0xDF947A70), UINT32_C(0x67A067F6), UINT32_C(0xBDB994F2), ++ UINT32_C(0x88BE96CD), UINT32_C(0x3F4BEC1B), UINT32_C(0xE56DD6D9), ++ UINT32_C(0x9820E931), UINT32_C(0x0A80F419), UINT32_C(0xB138F14F) } }, ++ { { UINT32_C(0x0429077A), UINT32_C(0xA11A1A8F), UINT32_C(0x10351C68), ++ UINT32_C(0x2BB1E33D), UINT32_C(0x89459A27), UINT32_C(0x3C25ABFE), ++ UINT32_C(0x6B8AC774), UINT32_C(0x2D0091B8), UINT32_C(0x3B2415D9), ++ UINT32_C(0xDAFC7853), UINT32_C(0x9201680D), UINT32_C(0xDE713CF1) }, ++ { UINT32_C(0x68889D57), UINT32_C(0x8E5F445D), UINT32_C(0x60EABF5B), ++ UINT32_C(0x608B209C), UINT32_C(0xF9CFA408), UINT32_C(0x10EC0ACC), ++ UINT32_C(0x4D1EE754), UINT32_C(0xD5256B9D), UINT32_C(0x0AA6C18D), ++ UINT32_C(0xFF866BAB), UINT32_C(0xACB90A45), UINT32_C(0x9D196DB8) } }, ++ { { UINT32_C(0xB9B081B2), UINT32_C(0xA46D76A9), UINT32_C(0x62163C25), ++ UINT32_C(0xFC743A10), UINT32_C(0x7761C392), UINT32_C(0xCD2A5C8D), ++ UINT32_C(0xBE808583), UINT32_C(0x39BDDE0B), UINT32_C(0xB98E4DFE), ++ UINT32_C(0x7C416021), UINT32_C(0x65913A44), UINT32_C(0xF930E563) }, ++ { UINT32_C(0x7585CF3C), UINT32_C(0xC3555F7E), UINT32_C(0x3D6333D5), ++ UINT32_C(0xC737E383), UINT32_C(0xB430B03D), UINT32_C(0x5B60DBA4), ++ UINT32_C(0xE7555404), UINT32_C(0x42B715EB), UINT32_C(0x7C7796E3), ++ UINT32_C(0x571BDF5B), UINT32_C(0x6DB6331F), UINT32_C(0x33DC62C6) } }, ++ { { UINT32_C(0xE61DEE59), UINT32_C(0x3FB9CCB0), UINT32_C(0x18B14DB9), ++ UINT32_C(0xC5185F23), UINT32_C(0x845EF36C), UINT32_C(0x1B2ADC4F), ++ UINT32_C(0x5C1A33AB), UINT32_C(0x195D5B50), UINT32_C(0x421F59D2), ++ UINT32_C(0x8CEA528E), UINT32_C(0xD2931CEA), UINT32_C(0x7DFCCECF) }, ++ { UINT32_C(0x8CF7E3F7), UINT32_C(0x51FFA1D5), UINT32_C(0xBDC9FB43), ++ UINT32_C(0xF01B7886), UINT32_C(0x261A0D35), UINT32_C(0xD65AB610), ++ UINT32_C(0x7574A554), UINT32_C(0x84BCBAFD), UINT32_C(0xFAD70208), ++ UINT32_C(0x4B119956), UINT32_C(0x4FAB5243), UINT32_C(0xDDC329C2) } }, ++ { { UINT32_C(0x9CE92177), UINT32_C(0x1A08AA57), UINT32_C(0xDC2B5C36), ++ UINT32_C(0x3395E557), UINT32_C(0x394ED04E), UINT32_C(0xFDFE7041), ++ UINT32_C(0xC6DFCDDE), UINT32_C(0xB797EB24), UINT32_C(0xCB9DE5D6), ++ UINT32_C(0x284A6B2A), UINT32_C(0x07222765), UINT32_C(0xE0BD95C8) }, ++ { UINT32_C(0x9FE678A7), UINT32_C(0x114A951B), UINT32_C(0x9E4954EC), ++ UINT32_C(0xE7ECD0BD), UINT32_C(0x79F0B8A9), UINT32_C(0x7D4096FE), ++ UINT32_C(0x09724FE2), UINT32_C(0xBDB26E9A), UINT32_C(0xF787AF95), ++ UINT32_C(0x08741AD8), UINT32_C(0x24045AD8), UINT32_C(0x2BF97272) } }, ++ { { UINT32_C(0xA9451D57), UINT32_C(0xAB1FEDD9), UINT32_C(0x483E38C9), ++ UINT32_C(0xDF4D91DF), UINT32_C(0x24E9CF8E), UINT32_C(0x2D54D311), ++ UINT32_C(0x7A22EEB6), UINT32_C(0x9C2A5AF8), UINT32_C(0x0A43F123), ++ UINT32_C(0xBD9861EF), UINT32_C(0x38A18B7B), UINT32_C(0x581EA6A2) }, ++ { UINT32_C(0x296470A3), UINT32_C(0xAF339C85), UINT32_C(0xAFD8203E), ++ UINT32_C(0xF9603FCD), UINT32_C(0x96763C28), UINT32_C(0x95D05350), ++ UINT32_C(0x860EC831), UINT32_C(0x15445C16), UINT32_C(0x6867A323), ++ UINT32_C(0x2AFB8728), UINT32_C(0x0C4838BF), UINT32_C(0x4B152D6D) } }, ++ { { UINT32_C(0x837CACBA), UINT32_C(0x45BA0E4F), UINT32_C(0xC0725275), ++ UINT32_C(0x7ADB38AE), UINT32_C(0x942D3C28), UINT32_C(0x19C82831), ++ UINT32_C(0x6D0FE7DD), UINT32_C(0x94F4731D), UINT32_C(0x4898F1E6), ++ UINT32_C(0xC3C07E13), UINT32_C(0xED410B51), UINT32_C(0x76350EAC) }, ++ { UINT32_C(0xF99AACFC), UINT32_C(0x0FA8BECA), UINT32_C(0x65FAF9CF), ++ UINT32_C(0x2834D86F), UINT32_C(0x6F3866AF), UINT32_C(0x8E62846A), ++ UINT32_C(0x3DFD6A2B), UINT32_C(0xDAA9BD4F), UINT32_C(0xA6132655), ++ UINT32_C(0xC27115BB), UINT32_C(0xBD5A32C2), UINT32_C(0x83972DF7) } }, ++ { { UINT32_C(0xD513B825), UINT32_C(0xA330CB5B), UINT32_C(0xEE37BEC3), ++ UINT32_C(0xAE18B2D3), UINT32_C(0xF780A902), UINT32_C(0xFC3AB80A), ++ UINT32_C(0xD607DDF1), UINT32_C(0xD7835BE2), UINT32_C(0x5B6E4C2B), ++ UINT32_C(0x8120F767), UINT32_C(0x67E78CCB), UINT32_C(0xAA8C3859) }, ++ { UINT32_C(0xAA0ED321), UINT32_C(0xA8DA8CE2), UINT32_C(0xD766341A), ++ UINT32_C(0xCB8846FD), UINT32_C(0x33DC9D9A), UINT32_C(0xF2A342EE), ++ UINT32_C(0xD0A18A80), UINT32_C(0xA519E0BE), UINT32_C(0xAF48DF4C), ++ UINT32_C(0x9CDAA39C), UINT32_C(0x7E0C19EE), UINT32_C(0xA4B500CA) } }, ++ { { UINT32_C(0x8217001B), UINT32_C(0x83A7FD2F), UINT32_C(0x4296A8BA), ++ UINT32_C(0x4F6FCF06), UINT32_C(0x91619927), UINT32_C(0x7D748643), ++ UINT32_C(0x941E4D41), UINT32_C(0x174C1075), UINT32_C(0xA64F5A6C), ++ UINT32_C(0x037EDEBD), UINT32_C(0x6E29DC56), UINT32_C(0xCF64DB3A) }, ++ { UINT32_C(0x37C0B9F4), UINT32_C(0x150B3ACE), UINT32_C(0x7168178B), ++ UINT32_C(0x1323234A), UINT32_C(0xEF4D1879), UINT32_C(0x1CE47014), ++ UINT32_C(0x17FB4D5C), UINT32_C(0xA22E3742), UINT32_C(0xD985F794), ++ UINT32_C(0x69B81822), UINT32_C(0x081D7214), UINT32_C(0x199C21C4) } }, ++ { { UINT32_C(0x8F04B4D2), UINT32_C(0x160BC7A1), UINT32_C(0xB10DE174), ++ UINT32_C(0x79CA81DD), UINT32_C(0x2DA1E9C7), UINT32_C(0xE2A280B0), ++ UINT32_C(0x1D6A0A29), UINT32_C(0xB4F6BD99), UINT32_C(0x1C5B8F27), ++ UINT32_C(0x57CF3EDD), UINT32_C(0x158C2FD4), UINT32_C(0x7E34FC57) }, ++ { UINT32_C(0xCAC93459), UINT32_C(0x828CFD89), UINT32_C(0xB7AF499F), ++ UINT32_C(0x9E631B6F), UINT32_C(0xDA26C135), UINT32_C(0xF4DC8BC0), ++ UINT32_C(0x37186735), UINT32_C(0x6128ED39), UINT32_C(0x67BF0BA5), ++ UINT32_C(0xBB45538B), UINT32_C(0x0064A3AB), UINT32_C(0x1ADDD4C1) } }, ++ }, ++ { ++ { { UINT32_C(0xDD14D47E), UINT32_C(0xC32730E8), UINT32_C(0xC0F01E0F), ++ UINT32_C(0xCDC1FD42), UINT32_C(0x3F5CD846), UINT32_C(0x2BACFDBF), ++ UINT32_C(0x7272D4DD), UINT32_C(0x45F36416), UINT32_C(0x5EB75776), ++ UINT32_C(0xDD813A79), UINT32_C(0x50997BE2), UINT32_C(0xB57885E4) }, ++ { UINT32_C(0xDB8C9829), UINT32_C(0xDA054E2B), UINT32_C(0xAAB5A594), ++ UINT32_C(0x4161D820), UINT32_C(0x026116A3), UINT32_C(0x4C428F31), ++ UINT32_C(0xDCD85E91), UINT32_C(0x372AF9A0), UINT32_C(0x673ADC2D), ++ UINT32_C(0xFDA6E903), UINT32_C(0xA8DB59E6), UINT32_C(0x4526B8AC) } }, ++ { { UINT32_C(0xE23A8472), UINT32_C(0x68FE359D), UINT32_C(0x4CE3C101), ++ UINT32_C(0x43EB12BD), UINT32_C(0xFC704935), UINT32_C(0x0EC652C3), ++ UINT32_C(0x52E4E22D), UINT32_C(0x1EEFF1F9), UINT32_C(0x083E3ADA), ++ UINT32_C(0xBA6777CB), UINT32_C(0x8BEFC871), UINT32_C(0xAB52D7DC) }, ++ { UINT32_C(0x497CBD59), UINT32_C(0x4EDE689F), UINT32_C(0x27577DD9), ++ UINT32_C(0xC8AE42B9), UINT32_C(0x7AB83C27), UINT32_C(0xE0F08051), ++ UINT32_C(0x2C8C1F48), UINT32_C(0x1F3D5F25), UINT32_C(0xAF241AAC), ++ UINT32_C(0x57991607), UINT32_C(0xB8A337E0), UINT32_C(0xC4458B0A) } }, ++ { { UINT32_C(0x51DD1BA9), UINT32_C(0x3DBB3FA6), UINT32_C(0x545E960B), ++ UINT32_C(0xE53C1C4D), UINT32_C(0x793CE803), UINT32_C(0x35AC6574), ++ UINT32_C(0x83DBCE4F), UINT32_C(0xB2697DC7), UINT32_C(0xE13CF6B0), ++ UINT32_C(0xE35C5BF2), UINT32_C(0xB0C4A164), UINT32_C(0x35034280) }, ++ { UINT32_C(0xD9C0D3C1), UINT32_C(0xAA490908), UINT32_C(0xCB4D2E90), ++ UINT32_C(0x2CCE614D), UINT32_C(0x54D504E4), UINT32_C(0xF646E96C), ++ UINT32_C(0xB73310A3), UINT32_C(0xD74E7541), UINT32_C(0x18BDE5DA), ++ UINT32_C(0xEAD71596), UINT32_C(0xAA09AEF7), UINT32_C(0x96E7F4A8) } }, ++ { { UINT32_C(0x5D6E5F48), UINT32_C(0xA8393A24), UINT32_C(0xF9175CE8), ++ UINT32_C(0x2C8D7EA2), UINT32_C(0x55A20268), UINT32_C(0xD8824E02), ++ UINT32_C(0xA446BCC6), UINT32_C(0x9DD9A272), UINT32_C(0x5351499B), ++ UINT32_C(0xC929CDED), UINT32_C(0xCFE76535), UINT32_C(0xEA5AD9EC) }, ++ { UINT32_C(0xDC32D001), UINT32_C(0x26F3D7D9), UINT32_C(0x43EB9689), ++ UINT32_C(0x51C3BE83), UINT32_C(0x759E6DDB), UINT32_C(0x91FDCC06), ++ UINT32_C(0xE302B891), UINT32_C(0xAC2E1904), UINT32_C(0xC207E1F7), ++ UINT32_C(0xAD25C645), UINT32_C(0xAB3DEB4A), UINT32_C(0x28A70F0D) } }, ++ { { UINT32_C(0x03BEA8F1), UINT32_C(0x922D7F97), UINT32_C(0x584570BE), ++ UINT32_C(0x3AD820D4), UINT32_C(0x3CD46B43), UINT32_C(0x0CE0A850), ++ UINT32_C(0xAE66743D), UINT32_C(0x4C07911F), UINT32_C(0xFDA60023), ++ UINT32_C(0x66519EB9), UINT32_C(0xEC2ACD9C), UINT32_C(0x7F83004B) }, ++ { UINT32_C(0xC3117EAD), UINT32_C(0x001E0B80), UINT32_C(0x0722BA25), ++ UINT32_C(0xBB72D541), UINT32_C(0x6E9A5078), UINT32_C(0x3AF7DB96), ++ UINT32_C(0x701B6B4C), UINT32_C(0x86C5774E), UINT32_C(0x37824DB5), ++ UINT32_C(0xBD2C0E8E), UINT32_C(0xBFAC286D), UINT32_C(0x3AE3028C) } }, ++ { { UINT32_C(0xA33E071B), UINT32_C(0x83D4D4A8), UINT32_C(0x61444BB5), ++ UINT32_C(0x881C0A92), UINT32_C(0x520E3BC3), UINT32_C(0xEEA1E292), ++ UINT32_C(0x2AAAB729), UINT32_C(0x5A5F4C3C), UINT32_C(0xE63C7C94), ++ UINT32_C(0x0B766C5E), UINT32_C(0xBB2CC79C), UINT32_C(0x62BB8A9F) }, ++ { UINT32_C(0xAA5DC49D), UINT32_C(0x97ADC7D2), UINT32_C(0x31718681), ++ UINT32_C(0x30CC26B3), UINT32_C(0x56E86EDE), UINT32_C(0xAC86E6FF), ++ UINT32_C(0xCD52F7F2), UINT32_C(0x37BCA7A2), UINT32_C(0x9CE6D87F), ++ UINT32_C(0x734D2C94), UINT32_C(0xC2F7E0CA), UINT32_C(0x06A71D71) } }, ++ { { UINT32_C(0xC6357D33), UINT32_C(0x559DCF75), UINT32_C(0x652517DE), ++ UINT32_C(0x4616D940), UINT32_C(0x1CCF207B), UINT32_C(0x3D576B98), ++ UINT32_C(0x1979F631), UINT32_C(0x51E2D1EF), UINT32_C(0x06AE8296), ++ UINT32_C(0x57517DDD), UINT32_C(0xD6E7151F), UINT32_C(0x309A3D7F) }, ++ { UINT32_C(0x0E3A6FE5), UINT32_C(0xBA2A23E6), UINT32_C(0xD28B22C3), ++ UINT32_C(0x76CF674A), UINT32_C(0xF8B808C3), UINT32_C(0xD235AD07), ++ UINT32_C(0x6B71213A), UINT32_C(0x7BBF4C58), UINT32_C(0x93271EBB), ++ UINT32_C(0x0676792E), UINT32_C(0x05B1FC31), UINT32_C(0x2CFD2C76) } }, ++ { { UINT32_C(0x37A450F5), UINT32_C(0x4258E5C0), UINT32_C(0x52D2B118), ++ UINT32_C(0xC3245F1B), UINT32_C(0x82BC5963), UINT32_C(0x6DF7B484), ++ UINT32_C(0x9C273D1E), UINT32_C(0xE520DA4D), UINT32_C(0x2C3010E5), ++ UINT32_C(0xED78E012), UINT32_C(0x3C1D4C05), UINT32_C(0x11222948) }, ++ { UINT32_C(0xC692B490), UINT32_C(0xE3DAE5AF), UINT32_C(0xC197F793), ++ UINT32_C(0x3272BD10), UINT32_C(0xE709ACAA), UINT32_C(0xF7EAE411), ++ UINT32_C(0x778270A6), UINT32_C(0x00B0C95F), UINT32_C(0x220D4350), ++ UINT32_C(0x4DA76EE1), UINT32_C(0xAB71E308), UINT32_C(0x521E1461) } }, ++ { { UINT32_C(0x343196A3), UINT32_C(0x7B654323), UINT32_C(0xB0C95250), ++ UINT32_C(0x35D442AD), UINT32_C(0xE264FF17), UINT32_C(0x38AF50E6), ++ UINT32_C(0x2030D2EA), UINT32_C(0x28397A41), UINT32_C(0xF74EEDA1), ++ UINT32_C(0x8F1D84E9), UINT32_C(0xE6FB3C52), UINT32_C(0xD521F92D) }, ++ { UINT32_C(0x95733811), UINT32_C(0xAF358D77), UINT32_C(0x93ABFE94), ++ UINT32_C(0xEBFDDD01), UINT32_C(0xD18D99DE), UINT32_C(0x05D8A028), ++ UINT32_C(0xB5D5BDD9), UINT32_C(0x5A664019), UINT32_C(0x2AA12FE8), ++ UINT32_C(0x3DF17282), UINT32_C(0xB889A28E), UINT32_C(0xB42E006F) } }, ++ { { UINT32_C(0xBC35CB1A), UINT32_C(0xCF10E97D), UINT32_C(0x994DEDC5), ++ UINT32_C(0xC70A7BBD), UINT32_C(0x37D04FB9), UINT32_C(0x76A5327C), ++ UINT32_C(0xA76E0CDA), UINT32_C(0x87539F76), UINT32_C(0xCD60A6B1), ++ UINT32_C(0xE9FE493F), UINT32_C(0x132F01C0), UINT32_C(0xA4574796) }, ++ { UINT32_C(0xDB70B167), UINT32_C(0xC43B85EB), UINT32_C(0x98551DFA), ++ UINT32_C(0x81D5039A), UINT32_C(0x1D979FA4), UINT32_C(0x6B56FBE9), ++ UINT32_C(0x8615098F), UINT32_C(0x49714FD7), UINT32_C(0x94DECAB5), ++ UINT32_C(0xB10E1CEA), UINT32_C(0x480EF6E3), UINT32_C(0x8342EBA3) } }, ++ { { UINT32_C(0xB3677288), UINT32_C(0xE1E030B0), UINT32_C(0x8D5CE3AF), ++ UINT32_C(0x2978174C), UINT32_C(0xF7B2DE98), UINT32_C(0xAFC0271C), ++ UINT32_C(0xB99C20B5), UINT32_C(0x745BC6F3), UINT32_C(0x1E3BB4E5), ++ UINT32_C(0x9F6EDCED), UINT32_C(0x73C8C1FC), UINT32_C(0x58D3EE4E) }, ++ { UINT32_C(0x7FD30124), UINT32_C(0x1F3535F4), UINT32_C(0x5FA62502), ++ UINT32_C(0xF366AC70), UINT32_C(0x965363FE), UINT32_C(0x4C4C1FDD), ++ UINT32_C(0x1DE2CA2B), UINT32_C(0x8B2C7777), UINT32_C(0x882F1173), ++ UINT32_C(0x0CB54743), UINT32_C(0x71343331), UINT32_C(0x94B6B8C0) } }, ++ { { UINT32_C(0x65B8B35B), UINT32_C(0x75AF0141), UINT32_C(0x4670A1F5), ++ UINT32_C(0x6D7B8485), UINT32_C(0xA3B6D376), UINT32_C(0x6EAA3A47), ++ UINT32_C(0xCB3E5B66), UINT32_C(0xD7E673D2), UINT32_C(0x9589AB38), ++ UINT32_C(0xC0338E6C), UINT32_C(0x09440FAA), UINT32_C(0x4BE26CB3) }, ++ { UINT32_C(0x394F9AA3), UINT32_C(0x82CB05E7), UINT32_C(0x7F7792EA), ++ UINT32_C(0xC45C8A8A), UINT32_C(0xB687DC70), UINT32_C(0x37E5E33B), ++ UINT32_C(0xDFE48E49), UINT32_C(0x63853219), UINT32_C(0x6D0E5C8C), ++ UINT32_C(0x087951C1), UINT32_C(0x2BC27310), UINT32_C(0x7696A8C7) } }, ++ { { UINT32_C(0xB67E834A), UINT32_C(0xA05736D5), UINT32_C(0x9098D42A), ++ UINT32_C(0xDD2AA0F2), UINT32_C(0x49C69DDC), UINT32_C(0x09F0C1D8), ++ UINT32_C(0x8FF0F0F3), UINT32_C(0x81F8BC1C), UINT32_C(0x03037775), ++ UINT32_C(0x36FD3A4F), UINT32_C(0x4B06DF5C), UINT32_C(0x8286717D) }, ++ { UINT32_C(0xA9079EA2), UINT32_C(0xB878F496), UINT32_C(0xD7DC796D), ++ UINT32_C(0xA5642426), UINT32_C(0x67FDAC2B), UINT32_C(0x29B9351A), ++ UINT32_C(0x1D543CDE), UINT32_C(0x93774C0E), UINT32_C(0x1A8E31C4), ++ UINT32_C(0x4F8793BA), UINT32_C(0x6C94798A), UINT32_C(0x7C9F3F3A) } }, ++ { { UINT32_C(0xCB8ECDB8), UINT32_C(0x23C5AD11), UINT32_C(0x485A6A02), ++ UINT32_C(0x1E88D25E), UINT32_C(0xF1E268AE), UINT32_C(0xB27CBE84), ++ UINT32_C(0xF4CD0475), UINT32_C(0xDDA80238), UINT32_C(0x49F8EB1B), ++ UINT32_C(0x4F88857B), UINT32_C(0x52FB07F9), UINT32_C(0x91B1221F) }, ++ { UINT32_C(0x8637FA67), UINT32_C(0x7CE97460), UINT32_C(0x632198D8), ++ UINT32_C(0x528B3CF4), UINT32_C(0xF6623769), UINT32_C(0x33365AB3), ++ UINT32_C(0x3A83A30F), UINT32_C(0x6FEBCFFF), UINT32_C(0x9BD341EB), ++ UINT32_C(0x398F4C99), UINT32_C(0xB33A333C), UINT32_C(0x180712BB) } }, ++ { { UINT32_C(0xD93429E7), UINT32_C(0x2B8655A2), UINT32_C(0x75C8B9EE), ++ UINT32_C(0x99D600BB), UINT32_C(0x88FCA6CD), UINT32_C(0x9FC1AF8B), ++ UINT32_C(0x7C311F80), UINT32_C(0x2FB53386), UINT32_C(0xE8A71EEE), ++ UINT32_C(0x20743ECB), UINT32_C(0xE848B49E), UINT32_C(0xEC3713C4) }, ++ { UINT32_C(0xBB886817), UINT32_C(0x5B2037B5), UINT32_C(0x307DBAF4), ++ UINT32_C(0x40EF5AC2), UINT32_C(0x1B3F643D), UINT32_C(0xC2888AF2), ++ UINT32_C(0x9D5A4190), UINT32_C(0x0D8252E1), UINT32_C(0x2DB52A8A), ++ UINT32_C(0x06CC0BEC), UINT32_C(0xAB94E969), UINT32_C(0xB84B98EA) } }, ++ { { UINT32_C(0xA0321E0E), UINT32_C(0x2E7AC078), UINT32_C(0xEF3DAAB6), ++ UINT32_C(0x5C5A1168), UINT32_C(0xADDD454A), UINT32_C(0xD2D573CB), ++ UINT32_C(0x36259CC7), UINT32_C(0x27E149E2), UINT32_C(0xA63F47F1), ++ UINT32_C(0x1EDFD469), UINT32_C(0xF1BD2CFD), UINT32_C(0x039AD674) }, ++ { UINT32_C(0x3077D3CC), UINT32_C(0xBFA633FC), UINT32_C(0x2FD64E9F), ++ UINT32_C(0x14A7C82F), UINT32_C(0x9D824999), UINT32_C(0xAAA65014), ++ UINT32_C(0x21760F2E), UINT32_C(0x41AB113B), UINT32_C(0x1CAE260A), ++ UINT32_C(0x23E646C5), UINT32_C(0x68DC5159), UINT32_C(0x08062C8F) } }, ++ }, ++ { ++ { { UINT32_C(0x204BE028), UINT32_C(0x2E7D0A16), UINT32_C(0xD0E41851), ++ UINT32_C(0x4F1D082E), UINT32_C(0x3EB317F9), UINT32_C(0x15F1DDC6), ++ UINT32_C(0x5ADF71D7), UINT32_C(0xF0275071), UINT32_C(0xEE858BC3), ++ UINT32_C(0x2CE33C2E), UINT32_C(0xDA73B71A), UINT32_C(0xA24C76D1) }, ++ { UINT32_C(0x6C70C483), UINT32_C(0x9EF6A70A), UINT32_C(0x05CF9612), ++ UINT32_C(0xEFCF1705), UINT32_C(0x7502DE64), UINT32_C(0x9F5BF5A6), ++ UINT32_C(0xA4701973), UINT32_C(0xD11122A1), UINT32_C(0xA2EA7B24), ++ UINT32_C(0x82CFAAC2), UINT32_C(0x0A4582E1), UINT32_C(0x6CAD67CC) } }, ++ { { UINT32_C(0xB4DC8600), UINT32_C(0x597A26FF), UINT32_C(0xF9288555), ++ UINT32_C(0x264A09F3), UINT32_C(0x5C27F5F6), UINT32_C(0x0B06AFF6), ++ UINT32_C(0xD8D544E6), UINT32_C(0xCE5AB665), UINT32_C(0x99275C32), ++ UINT32_C(0x92F031BE), UINT32_C(0xF42E0E7C), UINT32_C(0xAF51C5BB) }, ++ { UINT32_C(0x1E37B36D), UINT32_C(0x5BB28B06), UINT32_C(0x8473543A), ++ UINT32_C(0x583FBA6A), UINT32_C(0xF93FB7DC), UINT32_C(0xE73FD299), ++ UINT32_C(0x6E2CCAD9), UINT32_C(0xFCD999A8), UINT32_C(0x334D4F57), ++ UINT32_C(0xB8C8A6DF), UINT32_C(0x9A2ACC9B), UINT32_C(0x5ADB28DD) } }, ++ { { UINT32_C(0x111792B9), UINT32_C(0x5ADF3D9A), UINT32_C(0x4F1E0D09), ++ UINT32_C(0x1C77A305), UINT32_C(0xA82D3736), UINT32_C(0xF9FBCE33), ++ UINT32_C(0x718C8AA3), UINT32_C(0xF307823E), UINT32_C(0x416CCF69), ++ UINT32_C(0x860578CF), UINT32_C(0x1EF8465B), UINT32_C(0xB942ADD8) }, ++ { UINT32_C(0xCD9472E1), UINT32_C(0x9EE0CF97), UINT32_C(0xB01528A8), ++ UINT32_C(0xE6792EEF), UINT32_C(0xC09DA90B), UINT32_C(0xF99B9A8D), ++ UINT32_C(0xCBF3CCB8), UINT32_C(0x1F521C2D), UINT32_C(0x91A62632), ++ UINT32_C(0x6BF66948), UINT32_C(0x854FE9DA), UINT32_C(0xCC7A9CEB) } }, ++ { { UINT32_C(0x491CCB92), UINT32_C(0x46303171), UINT32_C(0x2771235B), ++ UINT32_C(0xA80A8C0D), UINT32_C(0xF172C7CF), UINT32_C(0xD8E497FF), ++ UINT32_C(0x35B193CF), UINT32_C(0x7F7009D7), UINT32_C(0xF19DF4BC), ++ UINT32_C(0x6B9FD3F7), UINT32_C(0xB46F1E37), UINT32_C(0xADA548C3) }, ++ { UINT32_C(0xC7A20270), UINT32_C(0x87C6EAA9), UINT32_C(0xAE78EF99), ++ UINT32_C(0xEF2245D6), UINT32_C(0x539EAB95), UINT32_C(0x2A121042), ++ UINT32_C(0x79B8F5CC), UINT32_C(0x29A6D5D7), UINT32_C(0xB77840DC), ++ UINT32_C(0x33803A10), UINT32_C(0x11A6A30F), UINT32_C(0xFEDD3A70) } }, ++ { { UINT32_C(0x142403D1), UINT32_C(0xFA070E22), UINT32_C(0x15C6F7F5), ++ UINT32_C(0x68FF3160), UINT32_C(0x223A0CE8), UINT32_C(0xE09F04E6), ++ UINT32_C(0x53E14183), UINT32_C(0x22BBD018), UINT32_C(0xCF45B75B), ++ UINT32_C(0x35D9FAFC), UINT32_C(0x7ECEEC88), UINT32_C(0x3A34819D) }, ++ { UINT32_C(0xD33262D2), UINT32_C(0xD9CF7568), UINT32_C(0x841D1505), ++ UINT32_C(0x431036D5), UINT32_C(0x9EB2A79A), UINT32_C(0x0C800565), ++ UINT32_C(0x5F7EDC6A), UINT32_C(0x8E77D9F0), UINT32_C(0x65E800AA), ++ UINT32_C(0x19E12D05), UINT32_C(0xB7784E7C), UINT32_C(0x335C8D36) } }, ++ { { UINT32_C(0x6484FD40), UINT32_C(0x8B2FC4E9), UINT32_C(0xA35D24EA), ++ UINT32_C(0xEE702764), UINT32_C(0xB871C3F3), UINT32_C(0x15B28AC7), ++ UINT32_C(0xE097047F), UINT32_C(0x805B4048), UINT32_C(0x647CAD2F), ++ UINT32_C(0xD6F1B8DF), UINT32_C(0xDC7DD67F), UINT32_C(0xF1D5B458) }, ++ { UINT32_C(0x25148803), UINT32_C(0x324C529C), UINT32_C(0x21274FAF), ++ UINT32_C(0xF6185EBE), UINT32_C(0x95148B55), UINT32_C(0xAF14751E), ++ UINT32_C(0x28F284F4), UINT32_C(0x283ED89D), UINT32_C(0x4CBEBF1A), ++ UINT32_C(0x93AD20E7), UINT32_C(0x882935E1), UINT32_C(0x5F6EC65D) } }, ++ { { UINT32_C(0xA4DCEFE9), UINT32_C(0xE222EBA4), UINT32_C(0xEC1CEB74), ++ UINT32_C(0x63AD235F), UINT32_C(0xE05B18E7), UINT32_C(0x2E0BF749), ++ UINT32_C(0xB48BDD87), UINT32_C(0x547BD050), UINT32_C(0xF5AA2FC4), ++ UINT32_C(0x0490C970), UINT32_C(0x2B431390), UINT32_C(0xCED5E4CF) }, ++ { UINT32_C(0x51D2898E), UINT32_C(0x07D82704), UINT32_C(0x083B57D4), ++ UINT32_C(0x44B72442), UINT32_C(0x5037FCE8), UINT32_C(0xA4ADA230), ++ UINT32_C(0x50510DA6), UINT32_C(0x55F7905E), UINT32_C(0x8D890A98), ++ UINT32_C(0xD8EE724F), UINT32_C(0x11B85640), UINT32_C(0x925A8E7C) } }, ++ { { UINT32_C(0x1CA459ED), UINT32_C(0x5BFA10CD), UINT32_C(0x6DCF56BF), ++ UINT32_C(0x593F085A), UINT32_C(0xC0579C3E), UINT32_C(0xE6F0AD9B), ++ UINT32_C(0x2527C1AD), UINT32_C(0xC11C95A2), UINT32_C(0xCF1CB8B3), ++ UINT32_C(0x7CFA71E1), UINT32_C(0x1D6DC79D), UINT32_C(0xEDCFF833) }, ++ { UINT32_C(0x432521C9), UINT32_C(0x581C4BBE), UINT32_C(0x144E11A0), ++ UINT32_C(0xBF620096), UINT32_C(0xBE3A107B), UINT32_C(0x54C38B71), ++ UINT32_C(0xE2606EC0), UINT32_C(0xED555E37), UINT32_C(0xD721D034), ++ UINT32_C(0x3FB148B8), UINT32_C(0x0091BC90), UINT32_C(0x79D53DAD) } }, ++ { { UINT32_C(0xB7082C80), UINT32_C(0xE32068C5), UINT32_C(0x7A144E22), ++ UINT32_C(0x4140FFD2), UINT32_C(0x9EDD9E86), UINT32_C(0x5811D2F0), ++ UINT32_C(0xC572C465), UINT32_C(0xCDD79B5F), UINT32_C(0xC97BF450), ++ UINT32_C(0x3563FED1), UINT32_C(0xF2CE5C9C), UINT32_C(0x985C1444) }, ++ { UINT32_C(0x99950F1C), UINT32_C(0x260AE797), UINT32_C(0x765E9DED), ++ UINT32_C(0x659F4F40), UINT32_C(0x2E3BC286), UINT32_C(0x2A412D66), ++ UINT32_C(0xF87E0C82), UINT32_C(0xE865E62C), UINT32_C(0x6C05E7D7), ++ UINT32_C(0xD63D3A9A), UINT32_C(0x8686F89A), UINT32_C(0x96725D67) } }, ++ { { UINT32_C(0xAB7EA0F5), UINT32_C(0xC99A5E4C), UINT32_C(0xC5393FA9), ++ UINT32_C(0xC9860A1A), UINT32_C(0x8FDEEFC0), UINT32_C(0x9ED83CEE), ++ UINT32_C(0x5ED6869A), UINT32_C(0xE3EA8B4C), UINT32_C(0xD2EED3A9), ++ UINT32_C(0x89A85463), UINT32_C(0xE421A622), UINT32_C(0x2CD91B6D) }, ++ { UINT32_C(0x2C91C41D), UINT32_C(0x6FEC1EF3), UINT32_C(0x8171037D), ++ UINT32_C(0xB1540D1F), UINT32_C(0x1C010E5B), UINT32_C(0x4FE4991A), ++ UINT32_C(0xFC1C7368), UINT32_C(0x28A3469F), UINT32_C(0xAF118781), ++ UINT32_C(0xE1EEECD1), UINT32_C(0x99EF3531), UINT32_C(0x1BCCB977) } }, ++ { { UINT32_C(0xC4DAB7B8), UINT32_C(0x63D3B638), UINT32_C(0x3F7F5BAB), ++ UINT32_C(0xD92133B6), UINT32_C(0x09FB6069), UINT32_C(0x2573EE20), ++ UINT32_C(0x890A1686), UINT32_C(0x771FABDF), UINT32_C(0xA77AFFF5), ++ UINT32_C(0x1D0BA21F), UINT32_C(0xBA3DD2C0), UINT32_C(0x83145FCC) }, ++ { UINT32_C(0x2D115C20), UINT32_C(0xFA073A81), UINT32_C(0x19176F27), ++ UINT32_C(0x6AB7A9D3), UINT32_C(0x9AC639EE), UINT32_C(0xAF62CF93), ++ UINT32_C(0x2CCD1319), UINT32_C(0xF73848B9), UINT32_C(0x3C71659D), ++ UINT32_C(0x3B613234), UINT32_C(0x10AB3826), UINT32_C(0xF8E0011C) } }, ++ { { UINT32_C(0x0282FFA5), UINT32_C(0x0501F036), UINT32_C(0xD9E0F15A), ++ UINT32_C(0xC39A5CF4), UINT32_C(0x9A3D1F3C), UINT32_C(0x48D8C729), ++ UINT32_C(0x64E18EDA), UINT32_C(0xB5FC136B), UINT32_C(0x7E58FEF0), ++ UINT32_C(0xE81B53D9), UINT32_C(0xF7B0F28D), UINT32_C(0x0D534055) }, ++ { UINT32_C(0x7A80619B), UINT32_C(0x47B8DE12), UINT32_C(0x81F9E55D), ++ UINT32_C(0x60E2A2B3), UINT32_C(0xCF564CC5), UINT32_C(0x6E9624D7), ++ UINT32_C(0x6BDEDFFF), UINT32_C(0xFDF18A21), UINT32_C(0xC0D5FC82), ++ UINT32_C(0x3787DE38), UINT32_C(0x497A6B11), UINT32_C(0xCBCAA347) } }, ++ { { UINT32_C(0xB226465A), UINT32_C(0x6E7EF35E), UINT32_C(0x5F8A2BAF), ++ UINT32_C(0x4B469919), UINT32_C(0x1120D93F), UINT32_C(0x44B3A3CF), ++ UINT32_C(0x68F34AD1), UINT32_C(0xB052C8B6), UINT32_C(0xEF7632DD), ++ UINT32_C(0x27EC574B), UINT32_C(0x685DE26F), UINT32_C(0xAEBEA108) }, ++ { UINT32_C(0xE39424B6), UINT32_C(0xDA33236B), UINT32_C(0xEBCC22AD), ++ UINT32_C(0xB1BD94A9), UINT32_C(0x2CDFB5D5), UINT32_C(0x6DDEE6CC), ++ UINT32_C(0x6F14069A), UINT32_C(0xBDAED927), UINT32_C(0x2A247CB7), ++ UINT32_C(0x2ADE427C), UINT32_C(0xED156A40), UINT32_C(0xCE96B436) } }, ++ { { UINT32_C(0x81F3F819), UINT32_C(0xDDDCA360), UINT32_C(0xD419B96A), ++ UINT32_C(0x4AF4A49F), UINT32_C(0x7CB966B9), UINT32_C(0x746C6525), ++ UINT32_C(0x6F610023), UINT32_C(0x01E39088), UINT32_C(0x98DD33FC), ++ UINT32_C(0x05ECB38D), UINT32_C(0x8F84EDF4), UINT32_C(0x962B971B) }, ++ { UINT32_C(0x6A6F2602), UINT32_C(0xEB32C0A5), UINT32_C(0x562D60F2), ++ UINT32_C(0xF026AF71), UINT32_C(0x84615FAB), UINT32_C(0xA9E246BF), ++ UINT32_C(0x75DBAE01), UINT32_C(0xAD967092), UINT32_C(0x3ECE5D07), ++ UINT32_C(0xBF97C79B), UINT32_C(0x74EAA3D3), UINT32_C(0xE06266C7) } }, ++ { { UINT32_C(0x2E6DBB6E), UINT32_C(0x161A0157), UINT32_C(0x60FA8F47), ++ UINT32_C(0xB8AF4904), UINT32_C(0x00197F22), UINT32_C(0xE4336C44), ++ UINT32_C(0x9CEDCE0E), UINT32_C(0xF811AFFA), UINT32_C(0xF94C2EF1), ++ UINT32_C(0xB1DD7685), UINT32_C(0xCA957BB0), UINT32_C(0xEEDC0F4B) }, ++ { UINT32_C(0x4AA76BB1), UINT32_C(0xD319FD57), UINT32_C(0x16CD7CCB), ++ UINT32_C(0xB3525D7C), UINT32_C(0xA97DD072), UINT32_C(0x7B22DA9C), ++ UINT32_C(0x38A83E71), UINT32_C(0x99DB84BD), UINT32_C(0xC0EDD8BE), ++ UINT32_C(0x4939BC8D), UINT32_C(0x903A932C), UINT32_C(0x06D524EA) } }, ++ { { UINT32_C(0x0E31F639), UINT32_C(0x4BC950EC), UINT32_C(0x6016BE30), ++ UINT32_C(0xB7ABD3DC), UINT32_C(0x6703DAD0), UINT32_C(0x3B0F4473), ++ UINT32_C(0x0AC1C4EA), UINT32_C(0xCC405F8B), UINT32_C(0x176C3FEE), ++ UINT32_C(0x9BED5E57), UINT32_C(0x36AE36C2), UINT32_C(0xF4524810) }, ++ { UINT32_C(0x15D7B503), UINT32_C(0xC1EDBB83), UINT32_C(0xE30F3657), ++ UINT32_C(0x943B1156), UINT32_C(0x98377805), UINT32_C(0x984E9EEF), ++ UINT32_C(0x36CF1DEB), UINT32_C(0x291AE7AC), UINT32_C(0xA9F66DF3), ++ UINT32_C(0xFED8748C), UINT32_C(0xFEA8FA5D), UINT32_C(0xECA758BB) } }, ++ }, ++ { ++ { { UINT32_C(0x2DD1B249), UINT32_C(0xACC787EF), UINT32_C(0xD82976F1), ++ UINT32_C(0x736E1030), UINT32_C(0xA01B3649), UINT32_C(0x0A6940FA), ++ UINT32_C(0xC42341E7), UINT32_C(0xE00B926B), UINT32_C(0xDE8FFD6C), ++ UINT32_C(0x911508D0), UINT32_C(0x5276B0CB), UINT32_C(0x4DCF8D46) }, ++ { UINT32_C(0xCC3CAD8D), UINT32_C(0x23AD0A90), UINT32_C(0xADED962A), ++ UINT32_C(0x2A92E54C), UINT32_C(0xF231BFAF), UINT32_C(0x93FBEC4D), ++ UINT32_C(0x4798987A), UINT32_C(0x9544BC77), UINT32_C(0x08E29F60), ++ UINT32_C(0x48084E25), UINT32_C(0x32DE5869), UINT32_C(0x0C0D2F43) } }, ++ { { UINT32_C(0x3A9ABC13), UINT32_C(0x6778F970), UINT32_C(0x3D2B166B), ++ UINT32_C(0xFD014FAC), UINT32_C(0x3C6FED60), UINT32_C(0x1FE4FC78), ++ UINT32_C(0xAA7C69C5), UINT32_C(0x04295FA8), UINT32_C(0x7C123175), ++ UINT32_C(0xA01DE56D), UINT32_C(0x3D9A713A), UINT32_C(0x0FA0D3A8) }, ++ { UINT32_C(0xE3E08ADD), UINT32_C(0xA7A6E5E3), UINT32_C(0x1AC58F85), ++ UINT32_C(0xBD77E94B), UINT32_C(0xB7321A9C), UINT32_C(0x078F6FD2), ++ UINT32_C(0x911EF6D9), UINT32_C(0x9564601E), UINT32_C(0x415C6BEF), ++ UINT32_C(0x31C5C1B2), UINT32_C(0xD3212C62), UINT32_C(0xE6C0C91E) } }, ++ { { UINT32_C(0x0D16022F), UINT32_C(0xBA7BD23C), UINT32_C(0x198BE288), ++ UINT32_C(0xE9CF4750), UINT32_C(0x47DEEC65), UINT32_C(0x304E3169), ++ UINT32_C(0x96EEB288), UINT32_C(0xCF65B41F), UINT32_C(0x927E9E3B), ++ UINT32_C(0x17E99C17), UINT32_C(0xF6630A80), UINT32_C(0x82225546) }, ++ { UINT32_C(0xCA067BD9), UINT32_C(0x15122B8A), UINT32_C(0xB77B4E98), ++ UINT32_C(0xE2673205), UINT32_C(0x9407CA63), UINT32_C(0x13037565), ++ UINT32_C(0x8B621602), UINT32_C(0x53624F54), UINT32_C(0xEAE4BD06), ++ UINT32_C(0x96AF2CB1), UINT32_C(0x8FA20829), UINT32_C(0x576ECD1C) } }, ++ { { UINT32_C(0x7E02D2D0), UINT32_C(0xA551CE10), UINT32_C(0x9D13DBC7), ++ UINT32_C(0x1584ED24), UINT32_C(0x4DA7B6D8), UINT32_C(0x082017AD), ++ UINT32_C(0xE054BC48), UINT32_C(0x81918A8F), UINT32_C(0x572DC384), ++ UINT32_C(0x677DB48E), UINT32_C(0x6155484C), UINT32_C(0x2EF82296) }, ++ { UINT32_C(0x41B9C231), UINT32_C(0xC3DB14C6), UINT32_C(0x4A766192), ++ UINT32_C(0x910A87D1), UINT32_C(0x10AB8E0F), UINT32_C(0x93D5CC86), ++ UINT32_C(0xAE57CA1B), UINT32_C(0x4194D548), UINT32_C(0x267FC37A), ++ UINT32_C(0xFAF3A1D6), UINT32_C(0x13B87C97), UINT32_C(0x70EC2364) } }, ++ { { UINT32_C(0x5E12756A), UINT32_C(0x064B565B), UINT32_C(0xAE49C98E), ++ UINT32_C(0x953B7BD1), UINT32_C(0xF7001D91), UINT32_C(0xE0CE8284), ++ UINT32_C(0xF31108D0), UINT32_C(0x1546060B), UINT32_C(0x6779B6E2), ++ UINT32_C(0xDBC2C3F4), UINT32_C(0xE0DD07CF), UINT32_C(0x157AA47D) }, ++ { UINT32_C(0xF23B261E), UINT32_C(0xBF4A1C6F), UINT32_C(0x654F4BE5), ++ UINT32_C(0x5B8EED30), UINT32_C(0x6B20CCD8), UINT32_C(0xDF5896D3), ++ UINT32_C(0x559ED23D), UINT32_C(0x56920E2C), UINT32_C(0xFA6E3E27), ++ UINT32_C(0x901F342E), UINT32_C(0x896CA082), UINT32_C(0x745C747C) } }, ++ { { UINT32_C(0x2944EC84), UINT32_C(0xDBCCD575), UINT32_C(0xA5FF65FE), ++ UINT32_C(0x54A2A935), UINT32_C(0x1A1319B6), UINT32_C(0x88C92A5E), ++ UINT32_C(0x82DA96C1), UINT32_C(0x9537C28F), UINT32_C(0x35F93C46), ++ UINT32_C(0xB6836474), UINT32_C(0x65B0846C), UINT32_C(0xEC526A1D) }, ++ { UINT32_C(0xF382C412), UINT32_C(0x6F12AFBD), UINT32_C(0x9E99FA06), ++ UINT32_C(0x5EBC81D8), UINT32_C(0x869B93BD), UINT32_C(0x97B5D672), ++ UINT32_C(0x377E12AA), UINT32_C(0x2983C310), UINT32_C(0x24D681EA), ++ UINT32_C(0x48759681), UINT32_C(0x287FD767), UINT32_C(0x1E0BD106) } }, ++ { { UINT32_C(0x7231247F), UINT32_C(0x0AC75A3E), UINT32_C(0xEF27AD3A), ++ UINT32_C(0x65C20DE6), UINT32_C(0xBD02EEE5), UINT32_C(0x87EB6CF1), ++ UINT32_C(0x00147E03), UINT32_C(0x264ACA7A), UINT32_C(0xAE2A9437), ++ UINT32_C(0xEBC78581), UINT32_C(0x6316BFA5), UINT32_C(0x9929964E) }, ++ { UINT32_C(0x9AF207EF), UINT32_C(0xDC09E040), UINT32_C(0x0C9D8658), ++ UINT32_C(0x3ECFFE2D), UINT32_C(0xDFB43D38), UINT32_C(0x547EA735), ++ UINT32_C(0xD04B1B20), UINT32_C(0x5485247B), UINT32_C(0xBFD8B609), ++ UINT32_C(0xB18D3F02), UINT32_C(0xCCE73705), UINT32_C(0xEEB3E805) } }, ++ { { UINT32_C(0xDB93850F), UINT32_C(0xDAB1A525), UINT32_C(0x8365B7D5), ++ UINT32_C(0x18ADAA23), UINT32_C(0x113FC8C7), UINT32_C(0x58485C90), ++ UINT32_C(0x348AD323), UINT32_C(0x80C3DBB9), UINT32_C(0xE16ADCA1), ++ UINT32_C(0xAF892FB5), UINT32_C(0x979F005A), UINT32_C(0x2183C879) }, ++ { UINT32_C(0x0643A99E), UINT32_C(0x20FA1A94), UINT32_C(0x1A1609CB), ++ UINT32_C(0x2741221C), UINT32_C(0x3C2FBDDC), UINT32_C(0x1C1687E5), ++ UINT32_C(0xD420D6CF), UINT32_C(0xDCCF329E), UINT32_C(0x2B7197D1), ++ UINT32_C(0x75D5577D), UINT32_C(0xC8729D9C), UINT32_C(0x4C3C3875) } }, ++ { { UINT32_C(0xE5CBDCB9), UINT32_C(0x5E79F995), UINT32_C(0xA742FCC7), ++ UINT32_C(0x03139824), UINT32_C(0x239EF4A1), UINT32_C(0x6D0C214A), ++ UINT32_C(0x401A2944), UINT32_C(0x53A27952), UINT32_C(0xC10BCDF0), ++ UINT32_C(0xF42A1B34), UINT32_C(0x7CF38061), UINT32_C(0x426BAA43) }, ++ { UINT32_C(0xA96AD0C8), UINT32_C(0x16A53139), UINT32_C(0x6BAD5301), ++ UINT32_C(0x627F1D31), UINT32_C(0x4ACCD627), UINT32_C(0x5AF74877), ++ UINT32_C(0xB55B0FB8), UINT32_C(0x3C58A1C5), UINT32_C(0xF4399A6A), ++ UINT32_C(0xFAA57B91), UINT32_C(0xC28094B8), UINT32_C(0xBAD283FB) } }, ++ { { UINT32_C(0x83E10A93), UINT32_C(0xBA32AC61), UINT32_C(0xEC06BDB0), ++ UINT32_C(0x1C91F6B4), UINT32_C(0x65F60C93), UINT32_C(0x42E6CFBC), ++ UINT32_C(0x2C0CDCBE), UINT32_C(0xEFE33BC8), UINT32_C(0x4D6414F2), ++ UINT32_C(0xE0FE1D09), UINT32_C(0x76FA5C5B), UINT32_C(0x4C112316) }, ++ { UINT32_C(0x2E26200A), UINT32_C(0x812C1DC6), UINT32_C(0xEE879D25), ++ UINT32_C(0xD6C413C5), UINT32_C(0xBCA8BAFE), UINT32_C(0xBEADE255), ++ UINT32_C(0xCE2BA0E7), UINT32_C(0x0EAF4AE2), UINT32_C(0xC4F4408A), ++ UINT32_C(0x66E9FFB0), UINT32_C(0x9782C7AD), UINT32_C(0xB36A86D7) } }, ++ { { UINT32_C(0xBAD8D1C7), UINT32_C(0x10FCD1F4), UINT32_C(0x4502F645), ++ UINT32_C(0xC903816A), UINT32_C(0xA503B895), UINT32_C(0x7FAC1CC1), ++ UINT32_C(0x0778900C), UINT32_C(0x8BCD6041), UINT32_C(0x5BCF2784), ++ UINT32_C(0x5A5F2202), UINT32_C(0x10EDB896), UINT32_C(0x9B157E87) }, ++ { UINT32_C(0xF602A8B1), UINT32_C(0x4C58DA69), UINT32_C(0x59EC9D7E), ++ UINT32_C(0xD55132F8), UINT32_C(0xA26D4870), UINT32_C(0x155B719A), ++ UINT32_C(0x36441746), UINT32_C(0x25AAFCA3), UINT32_C(0xDD3B6B30), ++ UINT32_C(0x01F83338), UINT32_C(0x551917CC), UINT32_C(0xD52BB5C1) } }, ++ { { UINT32_C(0x6135066A), UINT32_C(0xA0B6207B), UINT32_C(0x2AEC8CBD), ++ UINT32_C(0xB3409F84), UINT32_C(0x19D87DF0), UINT32_C(0x5EBFD436), ++ UINT32_C(0xE8526DE2), UINT32_C(0xCB4C209B), UINT32_C(0x21E1A230), ++ UINT32_C(0xD764085B), UINT32_C(0x0899964A), UINT32_C(0x96F91554) }, ++ { UINT32_C(0xA57D122A), UINT32_C(0xB0BEC8EF), UINT32_C(0x5D9D0B33), ++ UINT32_C(0xC572EC56), UINT32_C(0xCFA7C72C), UINT32_C(0xEBE2A780), ++ UINT32_C(0x9EF3295C), UINT32_C(0x52D40CDB), UINT32_C(0x0DE74DFE), ++ UINT32_C(0x64004584), UINT32_C(0xC0809716), UINT32_C(0xA6846432) } }, ++ { { UINT32_C(0x02C979BC), UINT32_C(0x0D09E8CD), UINT32_C(0x409F4F2A), ++ UINT32_C(0xEC4B21F6), UINT32_C(0x13FB07CA), UINT32_C(0x68125C70), ++ UINT32_C(0x6FDFA72A), UINT32_C(0x1C4CFC17), UINT32_C(0x04539FCD), ++ UINT32_C(0xC9E71B9E), UINT32_C(0x8BA70797), UINT32_C(0x94B7103D) }, ++ { UINT32_C(0xB33FDE83), UINT32_C(0x6B81E82F), UINT32_C(0xEABAFD4B), ++ UINT32_C(0x7CA9A8CA), UINT32_C(0xEAB819CE), UINT32_C(0xADD85A67), ++ UINT32_C(0x98E99FFC), UINT32_C(0xAEC25483), UINT32_C(0x274A07B6), ++ UINT32_C(0x938D6440), UINT32_C(0x564A6AA0), UINT32_C(0x0A5C7097) } }, ++ { { UINT32_C(0x2F4FCEB6), UINT32_C(0x7284FF50), UINT32_C(0x78D0D5CB), ++ UINT32_C(0x0A28715A), UINT32_C(0xBFCE187C), UINT32_C(0xE70B7014), ++ UINT32_C(0x7A17148D), UINT32_C(0xA6B538F5), UINT32_C(0xDD427166), ++ UINT32_C(0x1DAB07C9), UINT32_C(0x149D23CA), UINT32_C(0x5C5578B0) }, ++ { UINT32_C(0x875B5EDE), UINT32_C(0x875E2056), UINT32_C(0x02C893B9), ++ UINT32_C(0xCBF44B6D), UINT32_C(0x5C2993FB), UINT32_C(0x5715A77E), ++ UINT32_C(0x3410597E), UINT32_C(0xAF328146), UINT32_C(0x42DC49DF), ++ UINT32_C(0x65DF418F), UINT32_C(0xA9EE52F6), UINT32_C(0x7AC9C720) } }, ++ { { UINT32_C(0x62955486), UINT32_C(0xB1C9AA07), UINT32_C(0x245061D7), ++ UINT32_C(0xCBF35BE3), UINT32_C(0x8CF4DDC0), UINT32_C(0x811E1BD3), ++ UINT32_C(0x948F7C84), UINT32_C(0xD9D4589C), UINT32_C(0xCB0F996D), ++ UINT32_C(0x30D09A0F), UINT32_C(0x590E7704), UINT32_C(0x1A1B3B7A) }, ++ { UINT32_C(0x2082768D), UINT32_C(0xA848E349), UINT32_C(0x9A249DF4), ++ UINT32_C(0x9FEBD492), UINT32_C(0x5F20439A), UINT32_C(0x503420AF), ++ UINT32_C(0x8E2BFCD4), UINT32_C(0x0CBE52B6), UINT32_C(0x118C91B2), ++ UINT32_C(0xB1D5E261), UINT32_C(0x71D8F2BC), UINT32_C(0x93CFF6DA) } }, ++ { { UINT32_C(0x8AB58944), UINT32_C(0x5F5BC06B), UINT32_C(0x4979882D), ++ UINT32_C(0xE4BED538), UINT32_C(0xD79B0EB1), UINT32_C(0x57C30362), ++ UINT32_C(0xEF7C56D8), UINT32_C(0x391AE2C1), UINT32_C(0xADD98625), ++ UINT32_C(0x28BC2E97), UINT32_C(0x1B257107), UINT32_C(0xFA8E86B8) }, ++ { UINT32_C(0x6118C715), UINT32_C(0x5E4859F8), UINT32_C(0x524C71DD), ++ UINT32_C(0x91C83324), UINT32_C(0x6D2F5E6D), UINT32_C(0xFB209243), ++ UINT32_C(0x2A900A43), UINT32_C(0x6B4FE21F), UINT32_C(0x32A73C1F), ++ UINT32_C(0x241F75D6), UINT32_C(0x5AE89613), UINT32_C(0xF5BC4629) } }, ++ } ++}; ++ ++/*- ++ * Q := 2P, both projective, Q and P same pointers OK ++ * Autogenerated: op3/dbl_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 6 ++ * ASSERT: a = -3 ++ */ ++static void ++point_double(pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X = P->X; ++ const limb_t *Y = P->Y; ++ const limb_t *Z = P->Z; ++ limb_t *X3 = Q->X; ++ limb_t *Y3 = Q->Y; ++ limb_t *Z3 = Q->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_square(t0, X); ++ fiat_secp384r1_square(t1, Y); ++ fiat_secp384r1_square(t2, Z); ++ fiat_secp384r1_mul(t3, X, Y); ++ fiat_secp384r1_add(t3, t3, t3); ++ fiat_secp384r1_mul(t4, Y, Z); ++ fiat_secp384r1_mul(Z3, X, Z); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_mul(Y3, b, t2); ++ fiat_secp384r1_sub(Y3, Y3, Z3); ++ fiat_secp384r1_add(X3, Y3, Y3); ++ fiat_secp384r1_add(Y3, X3, Y3); ++ fiat_secp384r1_sub(X3, t1, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_mul(Y3, X3, Y3); ++ fiat_secp384r1_mul(X3, X3, t3); ++ fiat_secp384r1_add(t3, t2, t2); ++ fiat_secp384r1_add(t2, t2, t3); ++ fiat_secp384r1_mul(Z3, b, Z3); ++ fiat_secp384r1_sub(Z3, Z3, t2); ++ fiat_secp384r1_sub(Z3, Z3, t0); ++ fiat_secp384r1_add(t3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, t3); ++ fiat_secp384r1_add(t3, t0, t0); ++ fiat_secp384r1_add(t0, t3, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t0, t0, Z3); ++ fiat_secp384r1_add(Y3, Y3, t0); ++ fiat_secp384r1_add(t0, t4, t4); ++ fiat_secp384r1_mul(Z3, t0, Z3); ++ fiat_secp384r1_sub(X3, X3, Z3); ++ fiat_secp384r1_mul(Z3, t0, t1); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++} ++ ++/*- ++ * R := Q + P where R and Q are projective, P affine. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_mixed.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 5 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ fe_t X3; ++ fe_t Y3; ++ fe_t Z3; ++ limb_t nz; ++ ++ /* check P for affine inf */ ++ fiat_secp384r1_nonzero(&nz, P->Y); ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_add(t3, X2, Y2); ++ fiat_secp384r1_add(t4, X1, Y1); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_mul(t4, Y2, Z1); ++ fiat_secp384r1_add(t4, t4, Y1); ++ fiat_secp384r1_mul(Y3, X2, Z1); ++ fiat_secp384r1_add(Y3, Y3, X1); ++ fiat_secp384r1_mul(Z3, b, Z1); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, Z1, Z1); ++ fiat_secp384r1_add(t2, t1, Z1); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++ ++ /* if P is inf, throw all that away and take Q */ ++ fiat_secp384r1_selectznz(R->X, nz, Q->X, X3); ++ fiat_secp384r1_selectznz(R->Y, nz, Q->Y, Y3); ++ fiat_secp384r1_selectznz(R->Z, nz, Q->Z, Z3); ++} ++ ++/*- ++ * R := Q + P all projective. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 4 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4, t5; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ const limb_t *Z2 = P->Z; ++ limb_t *X3 = R->X; ++ limb_t *Y3 = R->Y; ++ limb_t *Z3 = R->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_mul(t2, Z1, Z2); ++ fiat_secp384r1_add(t3, X1, Y1); ++ fiat_secp384r1_add(t4, X2, Y2); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_add(t4, Y1, Z1); ++ fiat_secp384r1_add(t5, Y2, Z2); ++ fiat_secp384r1_mul(t4, t4, t5); ++ fiat_secp384r1_add(t5, t1, t2); ++ fiat_secp384r1_sub(t4, t4, t5); ++ fiat_secp384r1_add(X3, X1, Z1); ++ fiat_secp384r1_add(Y3, X2, Z2); ++ fiat_secp384r1_mul(X3, X3, Y3); ++ fiat_secp384r1_add(Y3, t0, t2); ++ fiat_secp384r1_sub(Y3, X3, Y3); ++ fiat_secp384r1_mul(Z3, b, t2); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, t2, t2); ++ fiat_secp384r1_add(t2, t1, t2); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++} ++ ++/* constants */ ++#define RADIX 5 ++#define DRADIX (1 << RADIX) ++#define DRADIX_WNAF ((DRADIX) << 1) ++ ++/*- ++ * precomp for wnaf scalar multiplication: ++ * precomp[0] = 1P ++ * precomp[1] = 3P ++ * precomp[2] = 5P ++ * precomp[3] = 7P ++ * precomp[4] = 9P ++ * ... ++ */ ++static void ++precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) ++{ ++ int i; ++ ++ fe_copy(precomp[0].X, P->X); ++ fe_copy(precomp[0].Y, P->Y); ++ fe_copy(precomp[0].Z, const_one); ++ point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); ++ ++ for (i = 1; i < DRADIX / 2; i++) ++ point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); ++} ++ ++/* fetch a scalar bit */ ++static int ++scalar_get_bit(const unsigned char in[48], int idx) ++{ ++ int widx, rshift; ++ ++ widx = idx >> 3; ++ rshift = idx & 0x7; ++ ++ if (idx < 0 || widx >= 48) ++ return 0; ++ ++ return (in[widx] >> rshift) & 0x1; ++} ++ ++/*- ++ * Compute "regular" wnaf representation of a scalar. ++ * See "Exponent Recoding and Regular Exponentiation Algorithms", ++ * Tunstall et al., AfricaCrypt 2009, Alg 6. ++ * It forces an odd scalar and outputs digits in ++ * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} ++ * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". ++ */ ++static void ++scalar_rwnaf(int8_t out[77], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = (in[0] & (DRADIX_WNAF - 1)) | 1; ++ for (i = 0; i < 76; i++) { ++ d = (window & (DRADIX_WNAF - 1)) - DRADIX; ++ out[i] = d; ++ window = (window - d) >> RADIX; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; ++ } ++ out[i] = window; ++} ++ ++/*- ++ * Compute "textbook" wnaf representation of a scalar. ++ * NB: not constant time ++ */ ++static void ++scalar_wnaf(int8_t out[385], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = in[0] & (DRADIX_WNAF - 1); ++ for (i = 0; i < 385; i++) { ++ d = 0; ++ if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) ++ d -= DRADIX_WNAF; ++ out[i] = d; ++ window = (window - d) >> 1; ++ window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; ++ } ++} ++ ++/*- ++ * Simulateous scalar multiplication: interleaved "textbook" wnaf. ++ * NB: not constant time ++ */ ++static void ++var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[48], ++ const unsigned char b[48], const pt_aff_t *P) ++{ ++ int i, d, is_neg, is_inf = 1, flipped = 0; ++ int8_t anaf[385] = { 0 }; ++ int8_t bnaf[385] = { 0 }; ++ pt_prj_t Q; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_wnaf(anaf, a); ++ scalar_wnaf(bnaf, b); ++ ++ for (i = 384; i >= 0; i--) { ++ if (!is_inf) ++ point_double(&Q, &Q); ++ if ((d = bnaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &precomp[d].X); ++ fe_copy(Q.Y, &precomp[d].Y); ++ fe_copy(Q.Z, &precomp[d].Z); ++ is_inf = 0; ++ } else ++ point_add_proj(&Q, &Q, &precomp[d]); ++ } ++ if ((d = anaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &lut_cmb[0][d].X); ++ fe_copy(Q.Y, &lut_cmb[0][d].Y); ++ fe_copy(Q.Z, const_one); ++ is_inf = 0; ++ } else ++ point_add_mixed(&Q, &Q, &lut_cmb[0][d]); ++ } ++ } ++ ++ if (is_inf) { ++ /* initialize accumulator to inf: all-zero scalars */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ } ++ ++ if (flipped) { ++ /* correct sign */ ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ } ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Variable point scalar multiplication with "regular" wnaf. ++ */ ++static void ++var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[48], ++ const pt_aff_t *P) ++{ ++ int i, j, d, diff, is_neg; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, lut; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_rwnaf(rnaf, scalar); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ /* initialize accumulator to high digit */ ++ d = (rnaf[76] - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(Q.X, diff, Q.X, precomp[j].X); ++ fiat_secp384r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); ++ } ++ ++ for (i = 75; i >= 0; i--) { ++ for (j = 0; j < RADIX; j++) ++ point_double(&Q, &Q); ++ d = rnaf[i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, precomp[j].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_proj(&Q, &Q, &lut); ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, precomp[0].X); ++ fiat_secp384r1_opp(lut.Y, precomp[0].Y); ++ fe_copy(lut.Z, precomp[0].Z); ++ point_add_proj(&lut, &lut, &Q); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Fixed scalar multiplication: comb with interleaving. ++ */ ++static void ++fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[48]) ++{ ++ int i, j, k, d, diff, is_neg = 0; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, R; ++ pt_aff_t lut; ++ ++ scalar_rwnaf(rnaf, scalar); ++ ++ /* initalize accumulator to inf */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ for (i = 3; i >= 0; i--) { ++ for (j = 0; i != 3 && j < RADIX; j++) ++ point_double(&Q, &Q); ++ for (j = 0; j < 21; j++) { ++ if (j * 4 + i > 76) ++ continue; ++ d = rnaf[j * 4 + i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (k = 0; k < DRADIX / 2; k++) { ++ diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_mixed(&Q, &Q, &lut); ++ } ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, lut_cmb[0][0].X); ++ fiat_secp384r1_opp(lut.Y, lut_cmb[0][0].Y); ++ point_add_mixed(&R, &Q, &lut); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++static void ++point_mul_two(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char a[48], const unsigned char b[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* simultaneous scalar multiplication */ ++ var_smul_wnaf_two(&P, a, b, &P); ++ ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul_g(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48]) ++{ ++ pt_aff_t P; ++ ++ /* fixed scmul function */ ++ fixed_smul_cmb(&P, scalar); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* var scmul function */ ++ var_smul_rwnaf(&P, scalar, &P); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++#undef RADIX ++#include "ecp.h" ++#include "mplogic.h" ++ ++/*- ++ * reverse bytes -- total hack ++ */ ++#define MP_BE2LE(a) \ ++ do { \ ++ unsigned char z_bswap; \ ++ z_bswap = a[0]; \ ++ a[0] = a[47]; \ ++ a[47] = z_bswap; \ ++ z_bswap = a[1]; \ ++ a[1] = a[46]; \ ++ a[46] = z_bswap; \ ++ z_bswap = a[2]; \ ++ a[2] = a[45]; \ ++ a[45] = z_bswap; \ ++ z_bswap = a[3]; \ ++ a[3] = a[44]; \ ++ a[44] = z_bswap; \ ++ z_bswap = a[4]; \ ++ a[4] = a[43]; \ ++ a[43] = z_bswap; \ ++ z_bswap = a[5]; \ ++ a[5] = a[42]; \ ++ a[42] = z_bswap; \ ++ z_bswap = a[6]; \ ++ a[6] = a[41]; \ ++ a[41] = z_bswap; \ ++ z_bswap = a[7]; \ ++ a[7] = a[40]; \ ++ a[40] = z_bswap; \ ++ z_bswap = a[8]; \ ++ a[8] = a[39]; \ ++ a[39] = z_bswap; \ ++ z_bswap = a[9]; \ ++ a[9] = a[38]; \ ++ a[38] = z_bswap; \ ++ z_bswap = a[10]; \ ++ a[10] = a[37]; \ ++ a[37] = z_bswap; \ ++ z_bswap = a[11]; \ ++ a[11] = a[36]; \ ++ a[36] = z_bswap; \ ++ z_bswap = a[12]; \ ++ a[12] = a[35]; \ ++ a[35] = z_bswap; \ ++ z_bswap = a[13]; \ ++ a[13] = a[34]; \ ++ a[34] = z_bswap; \ ++ z_bswap = a[14]; \ ++ a[14] = a[33]; \ ++ a[33] = z_bswap; \ ++ z_bswap = a[15]; \ ++ a[15] = a[32]; \ ++ a[32] = z_bswap; \ ++ z_bswap = a[16]; \ ++ a[16] = a[31]; \ ++ a[31] = z_bswap; \ ++ z_bswap = a[17]; \ ++ a[17] = a[30]; \ ++ a[30] = z_bswap; \ ++ z_bswap = a[18]; \ ++ a[18] = a[29]; \ ++ a[29] = z_bswap; \ ++ z_bswap = a[19]; \ ++ a[19] = a[28]; \ ++ a[28] = z_bswap; \ ++ z_bswap = a[20]; \ ++ a[20] = a[27]; \ ++ a[27] = z_bswap; \ ++ z_bswap = a[21]; \ ++ a[21] = a[26]; \ ++ a[26] = z_bswap; \ ++ z_bswap = a[22]; \ ++ a[22] = a[25]; \ ++ a[25] = z_bswap; \ ++ z_bswap = a[23]; \ ++ a[23] = a[24]; \ ++ a[24] = z_bswap; \ ++ } while (0) ++ ++static mp_err ++point_mul_g_secp384r1(const mp_int *n, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && out_x != NULL && out_y != NULL, MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_BE2LE(b_n); ++ point_mul_g(b_x, b_y, b_n); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_secp384r1(const mp_int *n, const mp_int *in_x, ++ const mp_int *in_y, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && in_x != NULL && in_y != NULL && out_x != NULL && ++ out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n); ++ point_mul(b_x, b_y, b_n, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_two_secp384r1(const mp_int *n1, const mp_int *n2, ++ const mp_int *in_x, const mp_int *in_y, ++ mp_int *out_x, mp_int *out_y, ++ const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n1[48]; ++ unsigned char b_n2[48]; ++ mp_err res; ++ ++ /* If n2 == NULL, this is just a base-point multiplication. */ ++ if (n2 == NULL) ++ return point_mul_g_secp384r1(n1, out_x, out_y, group); ++ ++ /* If n1 == NULL, this is just an arbitary-point multiplication. */ ++ if (n1 == NULL) ++ return point_mul_secp384r1(n2, in_x, in_y, out_x, out_y, group); ++ ++ ARGCHK(in_x != NULL && in_y != NULL && out_x != NULL && out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n1) > 384 || mp_cmp_z(n1) != 1 || ++ mpl_significant_bits(n2) > 384 || mp_cmp_z(n2) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n1, b_n1, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(n2, b_n2, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n1); ++ MP_BE2LE(b_n2); ++ point_mul_two(b_x, b_y, b_n1, b_n2, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++mp_err ++ec_group_set_secp384r1(ECGroup *group, ECCurveName name) ++{ ++ if (name == ECCurve_NIST_P384) { ++ group->base_point_mul = &point_mul_g_secp384r1; ++ group->point_mul = &point_mul_secp384r1; ++ group->points_mul = &point_mul_two_secp384r1; ++ } ++ return MP_OKAY; ++} ++ ++#endif /* __SIZEOF_INT128__ */ +diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi +--- a/nss/lib/freebl/freebl_base.gypi ++++ b/nss/lib/freebl/freebl_base.gypi +@@ -30,16 +30,17 @@ + 'ecl/ecp_256.c', + 'ecl/ecp_256_32.c', + 'ecl/ecp_384.c', + 'ecl/ecp_521.c', + 'ecl/ecp_aff.c', + 'ecl/ecp_jac.c', + 'ecl/ecp_jm.c', + 'ecl/ecp_mont.c', ++ 'ecl/ecp_secp384r1.c', + 'fipsfreebl.c', + 'blinit.c', + 'freeblver.c', + 'gcm.c', + 'hmacct.c', + 'jpake.c', + 'ldvector.c', + 'md2.c', +diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn +--- a/nss/lib/freebl/manifest.mn ++++ b/nss/lib/freebl/manifest.mn +@@ -102,17 +102,17 @@ PRIVATE_EXPORTS = \ + MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h + MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c + + + ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h + ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ + ecp_aff.c ecp_jac.c ecp_mont.c \ + ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ +- ecp_256_32.c ecp_25519.c ++ ecp_256_32.c ecp_25519.c ecp_secp384r1.c + SHA_SRCS = sha_fast.c + MPCPU_SRCS = mpcpucache.c + VERIFIED_SRCS = $(NULL) + + CSRCS = \ + freeblver.c \ + ldvector.c \ + sysrand.c \ +diff --git a/nss/tests/ec/ectest.sh b/tests/ec/ectest.sh +old mode 100644 +new mode 100755 + diff --git a/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch new file mode 100644 index 0000000000..cf3ea63cac --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch @@ -0,0 +1,283 @@ +Description: fix heap overflow when verifying DSA/RSA-PSS DER-encoded signatures +Origin: Provided by Mozilla + +CVE: CVE-2021-43527 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.35-2ubuntu2.13.debian.tar.xz] +Comment: Refreshed hunk 1 and 6 due to fuzz +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +--- a/nss/lib/cryptohi/secvfy.c ++++ b/nss/lib/cryptohi/secvfy.c +@@ -164,6 +164,37 @@ + PR_FALSE /*XXX: unsafeAllowMissingParameters*/); + } + ++static unsigned int ++checkedSignatureLen(const SECKEYPublicKey *pubk) ++{ ++ unsigned int sigLen = SECKEY_SignatureLen(pubk); ++ if (sigLen == 0) { ++ /* Error set by SECKEY_SignatureLen */ ++ return sigLen; ++ } ++ unsigned int maxSigLen; ++ switch (pubk->keyType) { ++ case rsaKey: ++ case rsaPssKey: ++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; ++ break; ++ case dsaKey: ++ maxSigLen = DSA_MAX_SIGNATURE_LEN; ++ break; ++ case ecKey: ++ maxSigLen = 2 * MAX_ECKEY_LEN; ++ break; ++ default: ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); ++ return 0; ++ } ++ if (sigLen > maxSigLen) { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ return 0; ++ } ++ return sigLen; ++} ++ + /* + * decode the ECDSA or DSA signature from it's DER wrapping. + * The unwrapped/raw signature is placed in the buffer pointed +@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, + unsigned int len) + { + SECItem *dsasig = NULL; /* also used for ECDSA */ +- SECStatus rv = SECSuccess; + +- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && +- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { +- if (sig->len != len) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; ++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */ ++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { ++ if (len > DSA_MAX_SIGNATURE_LEN) { ++ goto loser; + } +- +- PORT_Memcpy(dsig, sig->data, sig->len); +- return SECSuccess; +- } +- +- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { ++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { + if (len > MAX_ECKEY_LEN * 2) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; ++ goto loser; + } +- } +- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); +- +- if ((dsasig == NULL) || (dsasig->len != len)) { +- rv = SECFailure; + } else { +- PORT_Memcpy(dsig, dsasig->data, dsasig->len); ++ goto loser; + } + +- if (dsasig != NULL) ++ /* Decode and pad to length */ ++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); ++ if (dsasig == NULL) { ++ goto loser; ++ } ++ if (dsasig->len != len) { + SECITEM_FreeItem(dsasig, PR_TRUE); +- if (rv == SECFailure) +- PORT_SetError(SEC_ERROR_BAD_DER); +- return rv; ++ goto loser; ++ } ++ ++ PORT_Memcpy(dsig, dsasig->data, len); ++ SECITEM_FreeItem(dsasig, PR_TRUE); ++ ++ return SECSuccess; ++ ++loser: ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ return SECFailure; + } + + const SEC_ASN1Template hashParameterTemplate[] = +@@ -231,7 +262,7 @@ SECStatus + sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, + const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg) + { +- int len; ++ unsigned int len; + PLArenaPool *arena; + SECStatus rv; + SECItem oid; +@@ -458,48 +489,52 @@ vfy_CreateContext(const SECKEYPublicKey + cx->pkcs1RSADigestInfo = NULL; + rv = SECSuccess; + if (sig) { +- switch (type) { +- case rsaKey: +- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, +- &cx->pkcs1RSADigestInfo, +- &cx->pkcs1RSADigestInfoLen, +- cx->key, +- sig, wincx); +- break; +- case rsaPssKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ +- rv = SECFailure; ++ rv = SECFailure; ++ if (type == rsaKey) { ++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, ++ &cx->pkcs1RSADigestInfo, ++ &cx->pkcs1RSADigestInfoLen, ++ cx->key, ++ sig, wincx); ++ } else { ++ sigLen = checkedSignatureLen(key); ++ /* Check signature length is within limits */ ++ if (sigLen == 0) { ++ /* error set by checkedSignatureLen */ ++ rv = SECFailure; ++ goto loser; ++ } ++ if (sigLen > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ switch (type) { ++ case rsaPssKey: ++ if (sig->len != sigLen) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen); ++ rv = SECSuccess; + break; +- } +- if (sig->len != sigLen) { +- PORT_SetError(SEC_ERROR_BAD_SIGNATURE); +- rv = SECFailure; ++ case ecKey: ++ case dsaKey: ++ /* decodeECorDSASignature will check sigLen == sig->len after padding */ ++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); + break; +- } +- PORT_Memcpy(cx->u.buffer, sig->data, sigLen); +- break; +- case dsaKey: +- case ecKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ ++ default: ++ /* Unreachable */ + rv = SECFailure; +- break; +- } +- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); +- break; +- default: +- rv = SECFailure; +- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); +- break; ++ goto loser; ++ } ++ } ++ if (rv != SECSuccess) { ++ goto loser; + } + } + +- if (rv) +- goto loser; +- + /* check hash alg again, RSA may have changed it.*/ + if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { + /* error set by HASH_GetHashTypeByOidTag */ +@@ -634,11 +669,16 @@ VFY_EndWithSignature(VFYContext *cx, SEC + switch (cx->key->keyType) { + case ecKey: + case dsaKey: +- dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { + return SECFailure; + } ++ if (dsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ return SECFailure; ++ } ++ dsasig.data = cx->u.buffer; ++ + if (sig) { + rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, + dsasig.len); +@@ -667,8 +698,13 @@ + } + + rsasig.data = cx->u.buffer; +- rsasig.len = SECKEY_SignatureLen(cx->key); ++ rsasig.len = checkedSignatureLen(cx->key); + if (rsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ return SECFailure; ++ } ++ if (rsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + if (sig) { +@@ -743,7 +788,6 @@ vfy_VerifyDigest(const SECItem *digest, + SECStatus rv; + VFYContext *cx; + SECItem dsasig; /* also used for ECDSA */ +- + rv = SECFailure; + + cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); +@@ -751,19 +795,25 @@ vfy_VerifyDigest(const SECItem *digest, + switch (key->keyType) { + case rsaKey: + rv = verifyPKCS1DigestInfo(cx, digest); ++ /* Error (if any) set by verifyPKCS1DigestInfo */ + break; +- case dsaKey: + case ecKey: ++ case dsaKey: + dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ rv = SECFailure; + break; + } +- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) != +- SECSuccess) { ++ if (dsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ break; ++ } ++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx); ++ if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); +- } else { +- rv = SECSuccess; + } + break; + default: diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch new file mode 100644 index 0000000000..cccb73187d --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch @@ -0,0 +1,63 @@ +# HG changeset patch +# User John M. Schanck <jschanck@mozilla.com> +# Date 1633990165 0 +# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0 +# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f +Bug 1735028 - check for missing signedData field r=keeler + +Differential Revision: https://phabricator.services.mozilla.com/D128112 + +Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0] +CVE: CVE-2022-22747 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc ++++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage + unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, + 0x05, 0xa0, 0x02, 0x30, 0x00}; + EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage( + reinterpret_cast<char*>(emptyCertPackage), + sizeof(emptyCertPackage))); + EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); + } ++ ++TEST_F(DecodeCertsTest, EmptySignedData) { ++ // This represents a PKCS#7 ContentInfo of contentType ++ // 1.2.840.113549.1.7.2 (signedData) with missing content. ++ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, ++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, ++ 0x02, 0x00, 0x00, 0x05, 0x00}; ++ ++ EXPECT_EQ(nullptr, ++ CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData), ++ sizeof(emptySignedData))); ++ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); ++} +diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c +--- a/nss/lib/pkcs7/certread.c ++++ b/nss/lib/pkcs7/certread.c +@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C + pkcs7Item) != SECSuccess) { + goto done; + } + + if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) { + goto done; + } + ++ if (contentInfo.content.signedData == NULL) { ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ goto done; ++ } ++ + rv = SECSuccess; + + certs = contentInfo.content.signedData->certificates; + if (certs) { + count = 0; + + while (*certs) { + count++; diff --git a/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch new file mode 100644 index 0000000000..ec3b4a092a --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch @@ -0,0 +1,124 @@ + +# HG changeset patch +# User John M. Schanck <jschanck@mozilla.com> +# Date 1675974326 0 +# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18 +# Parent 52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4 +Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D167443 + +CVE: CVE-2023-0767 +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz] +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c +--- a/nss/lib/pkcs12/p12d.c ++++ b/nss/lib/pkcs12/p12d.c +@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void + unsigned long len, int depth, + SEC_ASN1EncodingPart data_kind) + { + sec_PKCS12SafeContentsContext *safeContentsCtx = + (sec_PKCS12SafeContentsContext *)arg; + SEC_PKCS12DecoderContext *p12dcx; + SECStatus rv; + +- /* make sure that we are not skipping the current safeBag, +- * and that there are no errors. If so, just return rather +- * than continuing to process. +- */ +- if (!safeContentsCtx || !safeContentsCtx->p12dcx || +- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { + return; + } + p12dcx = safeContentsCtx->p12dcx; + ++ /* make sure that there are no errors and we are not skipping the current safeBag */ ++ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ goto loser; ++ } ++ + rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); + if (rv != SECSuccess) { + p12dcx->errorValue = PORT_GetError(); ++ p12dcx->error = PR_TRUE; ++ goto loser; ++ } ++ ++ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we ++ * may not get another opportunity to clean up the decoder context. ++ */ ++ if (safeContentsCtx->skipCurrentSafeBag) { + goto loser; + } + + return; + + loser: +- /* set the error, and finish the decoder context. because there ++ /* Finish the decoder context. Because there + * is not a way of returning an error message, it may be worth + * while to do a check higher up and finish any decoding contexts + * that are still open. + */ +- p12dcx->error = PR_TRUE; + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + return; + } + + /* notify function for decoding safeBags. This function is + * used to filter safeBag types which are not supported, + * initiate the decoding of nested safe contents, and decode +diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h +--- a/nss/lib/pkcs12/p12t.h ++++ b/nss/lib/pkcs12/p12t.h +@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr { + /* Dependent upon the type of bag being used. */ + union { + SECKEYPrivateKeyInfo *pkcs8KeyBag; + SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; + sec_PKCS12CertBag *certBag; + sec_PKCS12CRLBag *crlBag; + sec_PKCS12SecretBag *secretBag; + sec_PKCS12SafeContents *safeContents; ++ SECItem *unknownBag; + } safeBagContent; + + sec_PKCS12Attribute **attribs; + + /* used locally */ + SECOidData *bagTypeTag; + PLArenaPool *arena; + unsigned int nAttribs; +diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c +--- a/nss/lib/pkcs12/p12tmpl.c ++++ b/nss/lib/pkcs12/p12tmpl.c +@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr + if (src_or_dest == NULL) { + return NULL; + } + + safeBag = (sec_PKCS12SafeBag *)src_or_dest; + + oiddata = SECOID_FindOID(&safeBag->safeBagType); + if (oiddata == NULL) { +- return SEC_ASN1_GET(SEC_AnyTemplate); ++ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); + } + + switch (oiddata->offset) { + default: +- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); ++ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + theTemplate = sec_PKCS12PointerToCertBagTemplate; + break; + case SEC_OID_PKCS12_V1_CRL_BAG_ID: + diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb index 3e3c3a3fdf..af842ee67c 100644 --- a/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -36,6 +36,15 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://0001-Enable-uint128-on-mips64.patch \ file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \ file://CVE-2020-12401.patch \ + file://CVE-2020-6829_12400.patch \ + file://CVE-2020-12403_1.patch \ + file://CVE-2020-12403_2.patch \ + file://CVE-2020-25648.patch \ + file://CVE-2021-43527.patch \ + file://CVE-2022-22747.patch \ + file://CVE-2023-0767.patch \ + file://0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch;patchdir=nss \ + file://0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch;patchdir=nss \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" @@ -55,6 +64,8 @@ TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc TARGET_CC_ARCH += "${LDFLAGS}" +CFLAGS_append_class-native = " -D_XOPEN_SOURCE " + do_configure_prepend_libc-musl () { sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk } @@ -62,7 +73,6 @@ do_configure_prepend_libc-musl () { do_compile_prepend_class-native() { export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} - export NSS_ENABLE_WERROR=0 } do_compile_prepend_class-nativesdk() { @@ -81,6 +91,11 @@ do_compile() { export NATIVE_CC="${BUILD_CC}" # Additional defines needed on Centos 7 export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" + + # POSIX.1-2001 states that the behaviour of getcwd() when passing a null + # pointer as the buf argument, is unspecified. + export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" + export BUILD_OPT=1 export FREEBL_NO_DEPEND=1 @@ -279,3 +294,12 @@ FILES_${PN}-dev = "\ RDEPENDS_${PN}-smime = "perl" BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT += "network_security_services" + +# CVE-2006-5201 affects only Sun Solaris +CVE_CHECK_WHITELIST += "CVE-2006-5201" + +# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect +# the legacy db (libnssdbm), only compiled with --enable-legacy-db. +CVE_CHECK_WHITELIST += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" diff --git a/meta-oe/recipes-support/numactl/numactl_git.bb b/meta-oe/recipes-support/numactl/numactl_git.bb index 20b7fed862..af082237c3 100644 --- a/meta-oe/recipes-support/numactl/numactl_git.bb +++ b/meta-oe/recipes-support/numactl/numactl_git.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://README.md;beginline=19;endline=32;md5=f8ff2391624f28e SRCREV = "5d9f16722e3df49dc618a9f361bd482559695db7" PV = "2.0.13+git${SRCPV}" -SRC_URI = "git://github.com/numactl/numactl \ +SRC_URI = "git://github.com/numactl/numactl;branch=master;protocol=https \ file://Fix-the-test-output-format.patch \ file://Makefile \ file://run-ptest \ diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch new file mode 100644 index 0000000000..38daa05817 --- /dev/null +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch @@ -0,0 +1,35 @@ +From 7f3cced1e140ed36c6f8f66d7f4098323b0463b2 Mon Sep 17 00:00:00 2001 +From: Katy Feng <fkaty@vmware.com> +Date: Fri, 25 Aug 2023 11:58:48 -0700 +Subject: [PATCH] Allow only X509 certs to verify the SAML token signature. + +Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16 +CVE: CVE-2023-20900 +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index 2906d29..57db3b8 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.7.4 + diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch new file mode 100644 index 0000000000..1c6657ae9f --- /dev/null +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch @@ -0,0 +1,39 @@ +From d16eda269413bdb04e85c242fa28db264697c45f Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwolfe@vmware.com> +Date: Sun, 21 Aug 2022 07:56:49 -0700 +Subject: [PATCH] Properly check authorization on incoming guestOps requests. + +Fix public pipe request checks. Only a SessionRequest type should +be accepted on the public pipe. + +Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 +CVE: CVE-2022-31676 +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/proto.c b/open-vm-tools/vgauth/serviceImpl/proto.c +index f097fb6..0ebaa7b 100644 +--- a/open-vm-tools/vgauth/serviceImpl/proto.c ++++ b/open-vm-tools/vgauth/serviceImpl/proto.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016,2019 VMware, Inc. All rights reserved. ++ * Copyright (C) 2011-2016,2019-2022 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -1202,6 +1202,10 @@ Proto_SecurityCheckRequest(ServiceConnection *conn, + VGAuthError err; + gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn); + ++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) { ++ return VGAUTH_E_PERMISSION_DENIED; ++ } ++ + switch (req->reqType) { + /* + * This comes over the public connection; alwsys let it through. +-- +2.7.4 diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb index 34a81d21f0..e3b15e35b6 100644 --- a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb @@ -21,7 +21,7 @@ LICENSE_modules/freebsd/vmxnet = "GPL-2.0" LICENSE_modules/linux = "GPL-2.0" LICENSE_modules/solaris = "CDDL-1.0" -SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https \ +SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=master \ file://tools.conf \ file://vmtoolsd.service \ file://vmtoolsd.init \ @@ -43,6 +43,8 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https \ file://0002-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0001-utilBacktrace-Ignore-Warray-bounds.patch;patchdir=.. \ file://0001-hgfsmounter-Makefile.am-support-usrmerge.patch;patchdir=.. \ + file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ + file://0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch;patchdir=.. \ " SRCREV = "d3edfd142a81096f9f58aff17d84219b457f4987" diff --git a/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb b/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb index 9fd88ced95..831b15a455 100644 --- a/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb +++ b/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb @@ -7,7 +7,7 @@ HOMEPAGE = "https://github.com/Oblomov/clinfo" LICENSE = "CC0-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=fd8857f774dfb0eefe1e80c8f9240a7e" -SRC_URI = "git://github.com/Oblomov/clinfo.git;protocol=https" +SRC_URI = "git://github.com/Oblomov/clinfo.git;protocol=https;branch=master" SRCREV = "59d0daf898e48d76ccbb788acbba258fa0a8ba7c" diff --git a/meta-oe/recipes-support/opencv/ade_0.1.1f.bb b/meta-oe/recipes-support/opencv/ade_0.1.1f.bb index 3861802158..7e9bbc31c9 100644 --- a/meta-oe/recipes-support/opencv/ade_0.1.1f.bb +++ b/meta-oe/recipes-support/opencv/ade_0.1.1f.bb @@ -4,7 +4,7 @@ and processing framework. ADE Framework is suitable for \ organizing data flow processing and execution." HOMEPAGE = "https://github.com/opencv/ade" -SRC_URI = "git://github.com/opencv/ade.git \ +SRC_URI = "git://github.com/opencv/ade.git;branch=master;protocol=https \ file://0001-use-GNUInstallDirs-for-detecting-install-paths.patch \ " diff --git a/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch b/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch index 5f909c1a8f..896d6ce9dc 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch @@ -1,4 +1,4 @@ -From 85b882b4ceb57fe6538f47af58d0a970923fde0e Mon Sep 17 00:00:00 2001 +From 806de12b95a69572fffea8eb49b4ec3fb722b65f Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com> Date: Thu, 31 Mar 2016 00:20:15 +0200 Subject: [PATCH] 3rdparty/ippicv: Use pre-downloaded ipp @@ -11,7 +11,7 @@ Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/3rdparty/ippicv/ippicv.cmake b/3rdparty/ippicv/ippicv.cmake -index ae8748c..305abdb 100644 +index ae8748c283..305abdb58d 100644 --- a/3rdparty/ippicv/ippicv.cmake +++ b/3rdparty/ippicv/ippicv.cmake @@ -39,18 +39,5 @@ function(download_ippicv root_var) diff --git a/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch b/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch index 40d3f53e1a..a899b7e9a4 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch @@ -1,4 +1,4 @@ -From 9659f5a1e75fc29c9879c301767bba72ecf9042a Mon Sep 17 00:00:00 2001 +From b34a6e8d4582aa13ad4cd58547d8e0f0a0f1c6a6 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Tue, 11 Sep 2018 00:21:18 -0700 Subject: [PATCH] Dont use isystem @@ -14,7 +14,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> 1 file changed, 2 insertions(+) diff --git a/cmake/OpenCVPCHSupport.cmake b/cmake/OpenCVPCHSupport.cmake -index 59bc826..055dfce 100644 +index 59bc826ed0..055dfce251 100644 --- a/cmake/OpenCVPCHSupport.cmake +++ b/cmake/OpenCVPCHSupport.cmake @@ -18,6 +18,8 @@ IF(CV_GCC) diff --git a/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch b/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch index f8ccd1d558..26041e09fb 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch @@ -1,4 +1,4 @@ -From fe27d0e2341683606704115949d16250e4cacbfa Mon Sep 17 00:00:00 2001 +From 23425e45f6e26f2b1e387b88e104872b3a1ea5d1 Mon Sep 17 00:00:00 2001 From: Jason Wessel <jason.wessel@windriver.com> Date: Wed, 9 May 2018 13:33:59 -0700 Subject: [PATCH] Temporarliy work around deprecated ffmpeg RAW function @@ -11,7 +11,7 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com> 1 file changed, 8 insertions(+) diff --git a/modules/videoio/src/cap_ffmpeg_impl.hpp b/modules/videoio/src/cap_ffmpeg_impl.hpp -index 0d360ad..566df66 100644 +index 0d360ad5d9..566df6664b 100644 --- a/modules/videoio/src/cap_ffmpeg_impl.hpp +++ b/modules/videoio/src/cap_ffmpeg_impl.hpp @@ -736,6 +736,14 @@ struct ImplMutex::Impl diff --git a/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch b/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch index 43d32fbc75..df5bd67460 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch @@ -1,13 +1,15 @@ -From 1edc925ecd7fb54d2dc78452069084475fbe2a70 Mon Sep 17 00:00:00 2001 +From d9bdafa95f329f33d829d89a2e51adaf833768cc Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Thu, 16 Jan 2020 08:52:00 -0800 -Subject: [PATCH] carotene: Replace ipcp-unit-growth with ipa-cp-unit-growth on gcc >= 10 +Subject: [PATCH] carotene: Replace ipcp-unit-growth with ipa-cp-unit-growth on + gcc >= 10 gcc 10+ has renamed this option, therefore check for gcc version before deciding which name to use for opt parameter Upstream-Status: Submitted [https://github.com/opencv/opencv/pull/16369] Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- 3rdparty/carotene/CMakeLists.txt | 8 ++++++-- 3rdparty/carotene/hal/CMakeLists.txt | 7 ++++++- @@ -50,6 +52,3 @@ index c4b9acaedd..bbc5b11a80 100644 # set_source_files_properties(impl.cpp $<TARGET_OBJECTS:carotene_objs> COMPILE_FLAGS "--param ipcp-unit-growth=100000 --param inline-unit-growth=100000 --param large-stack-frame-growth=5000") endif() --- -2.25.0 - diff --git a/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch b/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch index 46198fb7be..3dd63829e5 100644 --- a/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch +++ b/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch @@ -1,4 +1,4 @@ -From 46ffa1f8f443b71673774fcb864eb741bbc26200 Mon Sep 17 00:00:00 2001 +From 6a490df70aadc43ed4f503452c278e334716826d Mon Sep 17 00:00:00 2001 From: Bian Naimeng <biannm@cn.fujitsu.com> Date: Wed, 19 Apr 2017 03:11:37 +0900 Subject: [PATCH] Make opencv-ts create share library intead of static. @@ -10,7 +10,7 @@ Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ts/CMakeLists.txt b/modules/ts/CMakeLists.txt -index f95bed0..ee67858 100644 +index f95bed0793..ee67858df8 100644 --- a/modules/ts/CMakeLists.txt +++ b/modules/ts/CMakeLists.txt @@ -4,7 +4,7 @@ if(NOT BUILD_opencv_ts AND NOT BUILD_TESTS AND NOT BUILD_PERF_TESTS) diff --git a/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch b/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch index 336c2e08e6..77571ead98 100644 --- a/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch +++ b/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch @@ -1,4 +1,4 @@ -From 867caccc358266f7021f076fc8c8e41bf048782c Mon Sep 17 00:00:00 2001 +From b3dc5478cb0d2d2b617dc6c5e28d59559edadf36 Mon Sep 17 00:00:00 2001 From: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Date: Fri, 19 May 2017 04:27:50 +0900 Subject: [PATCH] To fix errors as following: @@ -21,7 +21,7 @@ Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/ts/include/opencv2/ts.hpp b/modules/ts/include/opencv2/ts.hpp -index b9d6b74..f1ee7ee 100644 +index b9d6b74ffc..f1ee7ee429 100644 --- a/modules/ts/include/opencv2/ts.hpp +++ b/modules/ts/include/opencv2/ts.hpp @@ -622,7 +622,7 @@ protected: @@ -43,7 +43,7 @@ index b9d6b74..f1ee7ee 100644 #define CV_TEST_INIT0_NOOP (void)0 diff --git a/modules/ts/include/opencv2/ts/ocl_test.hpp b/modules/ts/include/opencv2/ts/ocl_test.hpp -index 11572e9..438112e 100644 +index 11572e9f48..438112e2aa 100644 --- a/modules/ts/include/opencv2/ts/ocl_test.hpp +++ b/modules/ts/include/opencv2/ts/ocl_test.hpp @@ -82,7 +82,7 @@ inline UMat ToUMat(InputArray src) @@ -56,7 +56,7 @@ index 11572e9..438112e 100644 #define MAX_VALUE 357 diff --git a/modules/ts/include/opencv2/ts/ts_ext.hpp b/modules/ts/include/opencv2/ts/ts_ext.hpp -index b5cea3e..e5b0b4b 100644 +index b5cea3e46d..e5b0b4ba8c 100644 --- a/modules/ts/include/opencv2/ts/ts_ext.hpp +++ b/modules/ts/include/opencv2/ts/ts_ext.hpp @@ -9,7 +9,7 @@ diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch new file mode 100644 index 0000000000..54a553fb38 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch @@ -0,0 +1,148 @@ +From 5a9628c134a7314e10ea0bcc4e789c935251a7f5 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 25 Jul 2019 17:15:59 +0300 +Subject: [PATCH] objdetect: validate feature rectangle on reading + +CVE: CVE-2019-14491 +CVE: CVE-2019-14492 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/objdetect/src/cascadedetect.cpp | 43 +++++++++++++++++++++---- + modules/objdetect/src/cascadedetect.hpp | 6 ++-- + 2 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/modules/objdetect/src/cascadedetect.cpp b/modules/objdetect/src/cascadedetect.cpp +index a1865e9062..b7ef04ea7b 100644 +--- a/modules/objdetect/src/cascadedetect.cpp ++++ b/modules/objdetect/src/cascadedetect.cpp +@@ -46,6 +46,10 @@ + #include "cascadedetect.hpp" + #include "opencl_kernels_objdetect.hpp" + ++#if defined(_MSC_VER) ++# pragma warning(disable:4458) // declaration of 'origWinSize' hides class member ++#endif ++ + namespace cv + { + +@@ -536,7 +540,7 @@ bool FeatureEvaluator::setImage( InputArray _image, const std::vector<float>& _s + + //---------------------------------------------- HaarEvaluator --------------------------------------- + +-bool HaarEvaluator::Feature :: read( const FileNode& node ) ++bool HaarEvaluator::Feature::read(const FileNode& node, const Size& origWinSize) + { + FileNode rnode = node[CC_RECTS]; + FileNodeIterator it = rnode.begin(), it_end = rnode.end(); +@@ -548,11 +552,23 @@ bool HaarEvaluator::Feature :: read( const FileNode& node ) + rect[ri].weight = 0.f; + } + ++ const int W = origWinSize.width; ++ const int H = origWinSize.height; ++ + for(ri = 0; it != it_end; ++it, ri++) + { + FileNodeIterator it2 = (*it).begin(); +- it2 >> rect[ri].r.x >> rect[ri].r.y >> +- rect[ri].r.width >> rect[ri].r.height >> rect[ri].weight; ++ Feature::RectWeigth& rw = rect[ri]; ++ it2 >> rw.r.x >> rw.r.y >> rw.r.width >> rw.r.height >> rw.weight; ++ // input validation ++ { ++ CV_CheckGE(rw.r.x, 0, "Invalid HAAR feature"); ++ CV_CheckGE(rw.r.y, 0, "Invalid HAAR feature"); ++ CV_CheckLT(rw.r.x, W, "Invalid HAAR feature"); // necessary for overflow checks ++ CV_CheckLT(rw.r.y, H, "Invalid HAAR feature"); // necessary for overflow checks ++ CV_CheckLE(rw.r.x + rw.r.width, W, "Invalid HAAR feature"); ++ CV_CheckLE(rw.r.y + rw.r.height, H, "Invalid HAAR feature"); ++ } + } + + tilted = (int)node[CC_TILTED] != 0; +@@ -597,7 +613,7 @@ bool HaarEvaluator::read(const FileNode& node, Size _origWinSize) + + for(i = 0; i < n; i++, ++it) + { +- if(!ff[i].read(*it)) ++ if(!ff[i].read(*it, _origWinSize)) + return false; + if( ff[i].tilted ) + hasTiltedFeatures = true; +@@ -758,11 +774,24 @@ int HaarEvaluator::getSquaresOffset() const + } + + //---------------------------------------------- LBPEvaluator ------------------------------------- +-bool LBPEvaluator::Feature :: read(const FileNode& node ) ++bool LBPEvaluator::Feature::read(const FileNode& node, const Size& origWinSize) + { + FileNode rnode = node[CC_RECT]; + FileNodeIterator it = rnode.begin(); + it >> rect.x >> rect.y >> rect.width >> rect.height; ++ ++ const int W = origWinSize.width; ++ const int H = origWinSize.height; ++ // input validation ++ { ++ CV_CheckGE(rect.x, 0, "Invalid LBP feature"); ++ CV_CheckGE(rect.y, 0, "Invalid LBP feature"); ++ CV_CheckLT(rect.x, W, "Invalid LBP feature"); ++ CV_CheckLT(rect.y, H, "Invalid LBP feature"); ++ CV_CheckLE(rect.x + rect.width, W, "Invalid LBP feature"); ++ CV_CheckLE(rect.y + rect.height, H, "Invalid LBP feature"); ++ } ++ + return true; + } + +@@ -796,7 +825,7 @@ bool LBPEvaluator::read( const FileNode& node, Size _origWinSize ) + std::vector<Feature>& ff = *features; + for(int i = 0; it != it_end; ++it, i++) + { +- if(!ff[i].read(*it)) ++ if(!ff[i].read(*it, _origWinSize)) + return false; + } + nchannels = 1; +@@ -1441,6 +1470,8 @@ bool CascadeClassifierImpl::Data::read(const FileNode &root) + origWinSize.width = (int)root[CC_WIDTH]; + origWinSize.height = (int)root[CC_HEIGHT]; + CV_Assert( origWinSize.height > 0 && origWinSize.width > 0 ); ++ CV_CheckLE(origWinSize.width, 1000000, "Invalid window size (too large)"); ++ CV_CheckLE(origWinSize.height, 1000000, "Invalid window size (too large)"); + + // load feature params + FileNode fn = root[CC_FEATURE_PARAMS]; +diff --git a/modules/objdetect/src/cascadedetect.hpp b/modules/objdetect/src/cascadedetect.hpp +index a011ed4804..ffc03af841 100644 +--- a/modules/objdetect/src/cascadedetect.hpp ++++ b/modules/objdetect/src/cascadedetect.hpp +@@ -317,12 +317,12 @@ public: + struct Feature + { + Feature(); +- bool read( const FileNode& node ); ++ bool read(const FileNode& node, const Size& origWinSize); + + bool tilted; + + enum { RECT_NUM = 3 }; +- struct ++ struct RectWeigth + { + Rect r; + float weight; +@@ -412,7 +412,7 @@ public: + Feature( int x, int y, int _block_w, int _block_h ) : + rect(x, y, _block_w, _block_h) {} + +- bool read(const FileNode& node ); ++ bool read(const FileNode& node, const Size& origWinSize); + + Rect rect; // weight and height for block + }; diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch new file mode 100644 index 0000000000..37be12b500 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch @@ -0,0 +1,237 @@ +From 0d88c87ed94e89af490c3d882597e034422aa4a5 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 25 Jul 2019 15:14:22 +0300 +Subject: [PATCH] core(persistence): added null ptr checks + +CVE: CVE-2019-14493 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/core/src/persistence_json.cpp | 12 ++++++++++++ + modules/core/src/persistence_xml.cpp | 21 +++++++++++++++++++++ + modules/core/src/persistence_yml.cpp | 21 +++++++++++++++++++++ + 3 files changed, 54 insertions(+) + +diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp +index ae678e1b8b..89914e6534 100644 +--- a/modules/core/src/persistence_json.cpp ++++ b/modules/core/src/persistence_json.cpp +@@ -296,6 +296,8 @@ public: + + while ( is_eof == false && is_completed == false ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + switch ( *ptr ) + { + /* comment */ +@@ -381,6 +383,7 @@ public: + if ( is_eof || !is_completed ) + { + ptr = fs->bufferStart(); ++ CV_Assert(ptr); + *ptr = '\0'; + fs->setEof(); + if( !is_completed ) +@@ -392,6 +395,9 @@ public: + + char* parseKey( char* ptr, FileNode& collection, FileNode& value_placeholder ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + if( *ptr != '"' ) + CV_PARSE_ERROR_CPP( "Key must start with \'\"\'" ); + +@@ -430,6 +436,9 @@ public: + + char* parseValue( char* ptr, FileNode& node ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid value input"); ++ + ptr = skipSpaces( ptr ); + if( !ptr || !*ptr ) + CV_PARSE_ERROR_CPP( "Unexpected End-Of-File" ); +@@ -817,6 +826,9 @@ public: + + bool parse( char* ptr ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + ptr = skipSpaces( ptr ); + if ( !ptr || !*ptr ) + return false; +diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp +index fb30d90896..89876dd3da 100644 +--- a/modules/core/src/persistence_xml.cpp ++++ b/modules/core/src/persistence_xml.cpp +@@ -360,6 +360,9 @@ public: + + char* skipSpaces( char* ptr, int mode ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + int level = 0; + + for(;;) +@@ -441,6 +444,9 @@ public: + + char* parseValue( char* ptr, FileNode& node ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + FileNode new_elem; + bool have_space = true; + int value_type = node.type(); +@@ -456,6 +462,8 @@ public: + (c == '<' && ptr[1] == '!' && ptr[2] == '-') ) + { + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + have_space = true; + c = *ptr; + } +@@ -502,6 +510,8 @@ public: + { + ptr = fs->parseBase64( ptr, 0, new_elem); + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + } + + ptr = parseTag( ptr, key2, type_name, tag_type ); +@@ -645,6 +655,9 @@ public: + char* parseTag( char* ptr, std::string& tag_name, + std::string& type_name, int& tag_type ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid tag input"); ++ + if( *ptr == '\0' ) + CV_PARSE_ERROR_CPP( "Unexpected end of the stream" ); + +@@ -702,6 +715,8 @@ public: + if( *ptr != '=' ) + { + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid attribute"); + if( *ptr != '=' ) + CV_PARSE_ERROR_CPP( "Attribute name should be followed by \'=\'" ); + } +@@ -740,6 +755,8 @@ public: + if( c != '>' ) + { + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + c = *ptr; + } + +@@ -781,6 +798,8 @@ public: + + // CV_XML_INSIDE_TAG is used to prohibit leading comments + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + if( memcmp( ptr, "<?xml", 5 ) != 0 ) // FIXIT ptr[1..] - out of bounds read without check + CV_PARSE_ERROR_CPP( "Valid XML should start with \'<?xml ...?>\'" ); +@@ -791,6 +810,8 @@ public: + while( ptr && *ptr != '\0' ) + { + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + if( *ptr != '\0' ) + { +diff --git a/modules/core/src/persistence_yml.cpp b/modules/core/src/persistence_yml.cpp +index 4129ca1dc5..7742e82770 100644 +--- a/modules/core/src/persistence_yml.cpp ++++ b/modules/core/src/persistence_yml.cpp +@@ -330,6 +330,9 @@ public: + + char* skipSpaces( char* ptr, int min_indent, int max_comment_indent ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + for(;;) + { + while( *ptr == ' ' ) +@@ -374,6 +377,9 @@ public: + + bool getBase64Row(char* ptr, int indent, char* &beg, char* &end) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + beg = end = ptr = skipSpaces(ptr, 0, INT_MAX); + if (!ptr || !*ptr) + return false; // end of file +@@ -394,6 +400,9 @@ public: + + char* parseKey( char* ptr, FileNode& map_node, FileNode& value_placeholder ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + char c; + char *endptr = ptr - 1, *saveptr; + +@@ -422,6 +431,9 @@ public: + + char* parseValue( char* ptr, FileNode& node, int min_indent, bool is_parent_flow ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + char* endptr = 0; + char c = ptr[0], d = ptr[1]; + int value_type = FileNode::NONE; +@@ -508,6 +520,8 @@ public: + + *endptr = d; + ptr = skipSpaces( endptr, min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + c = *ptr; + +@@ -634,6 +648,8 @@ public: + FileNode elem; + + ptr = skipSpaces( ptr, new_min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + if( *ptr == '}' || *ptr == ']' ) + { + if( *ptr != d ) +@@ -647,6 +663,8 @@ public: + if( *ptr != ',' ) + CV_PARSE_ERROR_CPP( "Missing , between the elements" ); + ptr = skipSpaces( ptr + 1, new_min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + } + + if( struct_type == FileNode::MAP ) +@@ -746,6 +764,9 @@ public: + + bool parse( char* ptr ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + bool first = true; + bool ok = true; + FileNode root_collection(fs->getFS(), 0, 0); diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch new file mode 100644 index 0000000000..ad61d7c231 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch @@ -0,0 +1,73 @@ +From 384c5fa5f09aec5512343340fe65ccaaf83dfc48 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Fri, 23 Aug 2019 16:14:53 +0300 +Subject: [PATCH] objdetect: add input check in HOG detector + +CVE: CVE-2019-15939 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/5a497077f109d543ab86dfdf8add1c76c0e47d29.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/objdetect/src/hog.cpp | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/modules/objdetect/src/hog.cpp b/modules/objdetect/src/hog.cpp +index e3e43bb86e..af814658fe 100644 +--- a/modules/objdetect/src/hog.cpp ++++ b/modules/objdetect/src/hog.cpp +@@ -65,6 +65,7 @@ namespace cv + + static int numPartsWithin(int size, int part_size, int stride) + { ++ CV_Assert(stride != 0); + return (size - part_size + stride) / stride; + } + +@@ -77,13 +78,17 @@ static Size numPartsWithin(cv::Size size, cv::Size part_size, + + static size_t getBlockHistogramSize(Size block_size, Size cell_size, int nbins) + { ++ CV_Assert(!cell_size.empty()); + Size cells_per_block = Size(block_size.width / cell_size.width, +- block_size.height / cell_size.height); ++ block_size.height / cell_size.height); + return (size_t)(nbins * cells_per_block.area()); + } + + size_t HOGDescriptor::getDescriptorSize() const + { ++ CV_Assert(!cellSize.empty()); ++ CV_Assert(!blockStride.empty()); ++ + CV_Assert(blockSize.width % cellSize.width == 0 && + blockSize.height % cellSize.height == 0); + CV_Assert((winSize.width - blockSize.width) % blockStride.width == 0 && +@@ -141,20 +146,20 @@ bool HOGDescriptor::read(FileNode& obj) + if( !obj.isMap() ) + return false; + FileNodeIterator it = obj["winSize"].begin(); +- it >> winSize.width >> winSize.height; ++ it >> winSize.width >> winSize.height; CV_Assert(!winSize.empty()); + it = obj["blockSize"].begin(); +- it >> blockSize.width >> blockSize.height; ++ it >> blockSize.width >> blockSize.height; CV_Assert(!blockSize.empty()); + it = obj["blockStride"].begin(); +- it >> blockStride.width >> blockStride.height; ++ it >> blockStride.width >> blockStride.height; CV_Assert(!blockStride.empty()); + it = obj["cellSize"].begin(); +- it >> cellSize.width >> cellSize.height; +- obj["nbins"] >> nbins; ++ it >> cellSize.width >> cellSize.height; CV_Assert(!cellSize.empty()); ++ obj["nbins"] >> nbins; CV_Assert(nbins > 0); + obj["derivAperture"] >> derivAperture; + obj["winSigma"] >> winSigma; + obj["histogramNormType"] >> histogramNormType; + obj["L2HysThreshold"] >> L2HysThreshold; + obj["gammaCorrection"] >> gammaCorrection; +- obj["nlevels"] >> nlevels; ++ obj["nlevels"] >> nlevels; CV_Assert(nlevels > 0); + if (obj["signedGradient"].empty()) + signedGradient = false; + else diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch new file mode 100644 index 0000000000..3510e1eb98 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch @@ -0,0 +1,157 @@ +From 34195a57528a3f2c807bc3eeb8c934b8ea8289bd Mon Sep 17 00:00:00 2001 +From: Thang Tran <TranKimThang279@gmail.com> +Date: Mon, 27 May 2019 08:18:26 +0200 +Subject: [PATCH] video:fixed DISOpticalFlow segfault from small img + +CVE: CVE-2019-19624 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/d1615ba11a93062b1429fce9f0f638d1572d3418.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/video/src/dis_flow.cpp | 67 ++++++++++++++++++++++++- + modules/video/test/test_OF_accuracy.cpp | 28 +++++++++++ + 2 files changed, 93 insertions(+), 2 deletions(-) + +diff --git a/modules/video/src/dis_flow.cpp b/modules/video/src/dis_flow.cpp +index b86df1564b..adafcc92d8 100644 +--- a/modules/video/src/dis_flow.cpp ++++ b/modules/video/src/dis_flow.cpp +@@ -140,6 +140,8 @@ class DISOpticalFlowImpl CV_FINAL : public DISOpticalFlow + void prepareBuffers(Mat &I0, Mat &I1, Mat &flow, bool use_flow); + void precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy, Mat &dst_I0xy, Mat &dst_I0x, Mat &dst_I0y, Mat &I0x, + Mat &I0y); ++ int autoSelectCoarsestScale(int img_width); ++ void autoSelectPatchSizeAndScales(int img_width); + + struct PatchInverseSearch_ParBody : public ParallelLoopBody + { +@@ -435,6 +437,44 @@ void DISOpticalFlowImpl::precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy, + } + } + ++int DISOpticalFlowImpl::autoSelectCoarsestScale(int img_width) ++{ ++ const int fratio = 5; ++ return std::max(0, (int)std::floor(log2((2.0f*(float)img_width) / ((float)fratio * (float)patch_size)))); ++} ++ ++void DISOpticalFlowImpl::autoSelectPatchSizeAndScales(int img_width) ++{ ++ switch (finest_scale) ++ { ++ case 1: ++ patch_size = 8; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-2, 0); ++ break; ++ ++ case 3: ++ patch_size = 12; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-4, 0); ++ break; ++ ++ case 4: ++ patch_size = 12; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-5, 0); ++ break; ++ ++ // default case, fall-through. ++ case 2: ++ default: ++ patch_size = 8; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-2, 0); ++ break; ++ } ++} ++ + DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOpticalFlowImpl &_dis, int _nstripes, + int _hs, Mat &dst_Sx, Mat &dst_Sy, + Mat &src_Ux, Mat &src_Uy, Mat &_I0, Mat &_I1, +@@ -1313,9 +1353,20 @@ bool DISOpticalFlowImpl::ocl_calc(InputArray I0, InputArray I1, InputOutputArray + else + flow.create(I1Mat.size(), CV_32FC2); + UMat &u_flowMat = flow.getUMatRef(); +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal movement of width/4 */ ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code search for maximal movement of width/4 */ + (int)(log(min(I0Mat.cols, I0Mat.rows) / patch_size) / log(2.0))); /* Deepest pyramid level greater or equal than patch*/ + ++ if (coarsest_scale<0) ++ CV_Error(cv::Error::StsBadSize, "The input image must have either width or height >= 12"); ++ ++ if (coarsest_scale<finest_scale) ++ { ++ // choose the finest level based on coarsest level. ++ // Refs: https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239 ++ int original_img_width = I0.size().width; ++ autoSelectPatchSizeAndScales(original_img_width); ++ } ++ + ocl_prepareBuffers(I0Mat, I1Mat, u_flowMat, use_input_flow); + u_Ux[coarsest_scale].setTo(0.0f); + u_Uy[coarsest_scale].setTo(0.0f); +@@ -1380,8 +1431,20 @@ void DISOpticalFlowImpl::calc(InputArray I0, InputArray I1, InputOutputArray flo + else + flow.create(I1Mat.size(), CV_32FC2); + Mat flowMat = flow.getMat(); +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal movement of width/4 */ ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code search for maximal movement of width/4 */ + (int)(log(min(I0Mat.cols, I0Mat.rows) / patch_size) / log(2.0))); /* Deepest pyramid level greater or equal than patch*/ ++ ++ if (coarsest_scale<0) ++ CV_Error(cv::Error::StsBadSize, "The input image must have either width or height >= 12"); ++ ++ if (coarsest_scale<finest_scale) ++ { ++ // choose the finest level based on coarsest level. ++ // Refs: https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239 ++ int original_img_width = I0.size().width; ++ autoSelectPatchSizeAndScales(original_img_width); ++ } ++ + int num_stripes = getNumThreads(); + + prepareBuffers(I0Mat, I1Mat, flowMat, use_input_flow); +diff --git a/modules/video/test/test_OF_accuracy.cpp b/modules/video/test/test_OF_accuracy.cpp +index affbab6586..b99ffce2a8 100644 +--- a/modules/video/test/test_OF_accuracy.cpp ++++ b/modules/video/test/test_OF_accuracy.cpp +@@ -121,6 +121,34 @@ TEST(DenseOpticalFlow_DIS, ReferenceAccuracy) + } + } + ++TEST(DenseOpticalFlow_DIS, InvalidImgSize_CoarsestLevelLessThanZero) ++{ ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create(); ++ const int mat_size = 10; ++ ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat flow; ++ ++ ASSERT_THROW(of->calc(x, y, flow), cv::Exception); ++} ++ ++// make sure that autoSelectPatchSizeAndScales() works properly. ++TEST(DenseOpticalFlow_DIS, InvalidImgSize_CoarsestLevelLessThanFinestLevel) ++{ ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create(); ++ const int mat_size = 80; ++ ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat flow; ++ ++ of->calc(x, y, flow); ++ ++ ASSERT_EQ(flow.rows, mat_size); ++ ASSERT_EQ(flow.cols, mat_size); ++} ++ + TEST(DenseOpticalFlow_VariationalRefinement, ReferenceAccuracy) + { + Mat frame1, frame2, GT; diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch new file mode 100644 index 0000000000..b4d5e6dc44 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch @@ -0,0 +1,78 @@ +From f42d5399aac80d371b17d689851406669c9b9111 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 7 Nov 2019 14:01:51 +0300 +Subject: [PATCH] core(persistence): add more checks for implementation + limitations + +Signed-off-by: akash hadke <akash.hadke@kpit.com> +--- + modules/core/src/persistence_json.cpp | 8 ++++++++ + modules/core/src/persistence_xml.cpp | 6 ++++-- + 2 files changed, 12 insertions(+), 2 deletions(-) +--- +CVE: CVE-2019-5063 +CVE: CVE-2019-5064 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch] +--- +diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp +index 89914e6534f..2efdf17d3f5 100644 +--- a/modules/core/src/persistence_json.cpp ++++ b/modules/core/src/persistence_json.cpp +@@ -578,10 +578,14 @@ class JSONParser : public FileStorageParser + sz = (int)(ptr - beg); + if( sz > 0 ) + { ++ if (i + sz >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy(buf + i, beg, sz); + i += sz; + } + ptr++; ++ if (i + 1 >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + switch ( *ptr ) + { + case '\\': +@@ -605,6 +609,8 @@ class JSONParser : public FileStorageParser + sz = (int)(ptr - beg); + if( sz > 0 ) + { ++ if (i + sz >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy(buf + i, beg, sz); + i += sz; + } +@@ -620,6 +626,8 @@ class JSONParser : public FileStorageParser + sz = (int)(ptr - beg); + if( sz > 0 ) + { ++ if (i + sz >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy(buf + i, beg, sz); + i += sz; + } +diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp +index 89876dd3da8..52b53744254 100644 +--- a/modules/core/src/persistence_xml.cpp ++++ b/modules/core/src/persistence_xml.cpp +@@ -627,6 +627,8 @@ class XMLParser : public FileStorageParser + c = '\"'; + else + { ++ if (len + 2 + i >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy( strbuf + i, ptr-1, len + 2 ); + i += len + 2; + } +@@ -635,9 +637,9 @@ class XMLParser : public FileStorageParser + CV_PERSISTENCE_CHECK_END_OF_BUFFER_BUG_CPP(); + } + } ++ if (i + 1 >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("Too long string literal"); + strbuf[i++] = c; +- if( i >= CV_FS_MAX_LEN ) +- CV_PARSE_ERROR_CPP( "Too long string literal" ); + } + elem->setValue(FileNode::STRING, strbuf, i); + } diff --git a/meta-oe/recipes-support/opencv/opencv/download.patch b/meta-oe/recipes-support/opencv/opencv/download.patch index fa8db88078..ae01a5edcd 100644 --- a/meta-oe/recipes-support/opencv/opencv/download.patch +++ b/meta-oe/recipes-support/opencv/opencv/download.patch @@ -1,3 +1,8 @@ +From 3b1a69503dea2075d51655a0cea5369c88a67632 Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@intel.com> +Date: Thu, 9 Jan 2020 16:24:24 +0000 +Subject: [PATCH] opencv: abort configure if we need to download + This CMake module will download files during do_configure. This is bad as it means we can't do offline builds. @@ -6,6 +11,10 @@ Add an option to disallow downloads by emitting a fatal error. Upstream-Status: Pending Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + cmake/OpenCVDownload.cmake | 6 ++++++ + 1 file changed, 6 insertions(+) + diff --git a/cmake/OpenCVDownload.cmake b/cmake/OpenCVDownload.cmake index cdc47ad2cb..74573f45a2 100644 --- a/cmake/OpenCVDownload.cmake diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb index d781da6005..d7a0158749 100644 --- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb +++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb @@ -37,12 +37,12 @@ IPP_FILENAME = "${@ipp_filename(d)}" IPP_MD5 = "${@ipp_md5sum(d)}" SRCREV_FORMAT = "opencv_contrib_ipp_boostdesc_vgg" -SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \ - git://github.com/opencv/opencv_contrib.git;destsuffix=contrib;name=contrib \ - git://github.com/opencv/opencv_3rdparty.git;branch=ippicv/master_20180723;destsuffix=ipp;name=ipp \ - git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_boostdesc_20161012;destsuffix=boostdesc;name=boostdesc \ - git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_vgg_20160317;destsuffix=vgg;name=vgg \ - git://github.com/opencv/opencv_3rdparty.git;branch=contrib_face_alignment_20170818;destsuffix=face;name=face \ +SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol=https \ + git://github.com/opencv/opencv_contrib.git;destsuffix=contrib;name=contrib;branch=master;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=ippicv/master_20180723;destsuffix=ipp;name=ipp;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_boostdesc_20161012;destsuffix=boostdesc;name=boostdesc;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_vgg_20160317;destsuffix=vgg;name=vgg;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=contrib_face_alignment_20170818;destsuffix=face;name=face;protocol=https \ file://0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch \ file://0002-Make-opencv-ts-create-share-library-intead-of-static.patch \ file://0003-To-fix-errors-as-following.patch \ @@ -50,6 +50,11 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \ file://0001-Dont-use-isystem.patch \ file://0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch \ file://download.patch \ + file://CVE-2019-14491.patch \ + file://CVE-2019-14493.patch \ + file://CVE-2019-15939.patch \ + file://CVE-2019-19624.patch \ + file://CVE-2019-5063_and_2019-5064.patch \ " PV = "4.1.0" diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch new file mode 100644 index 0000000000..c6bac80061 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch @@ -0,0 +1,31 @@ +From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sat, 6 Feb 2021 20:52:06 +0000 +Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck + + +Signed-off-by: Howard Chu <hyc@openldap.org> + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30] +CVE: CVE-2021-27212 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + servers/slapd/schema_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 31be115..8b1e255 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck( + break; + } + } ++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX; ++ + x.bv_val += tu->bv_len + 1; + x.bv_len -= tu->bv_len + 1; + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch new file mode 100644 index 0000000000..2860b95220 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch @@ -0,0 +1,277 @@ +From 11e136f15085a4bda5701e910988966bed699977 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 18 May 2022 13:57:59 +0530 +Subject: [PATCH] CVE-2022-29155 + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134] +CVE: CVE-2022-29155 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +--- + servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++----- + 1 file changed, 105 insertions(+), 18 deletions(-) + +diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c +index bb0f1e2..1770bde 100644 +--- a/servers/slapd/back-sql/search.c ++++ b/servers/slapd/back-sql/search.c +@@ -63,6 +63,38 @@ static void send_paged_response( + ID *lastid ); + #endif /* ! BACKSQL_ARBITRARY_KEY */ + ++/* Look for chars that need to be escaped, return count of them. ++ * If out is non-NULL, copy escape'd val to it. ++ */ ++static int ++backsql_val_escape( Operation *op, struct berval *in, struct berval *out ) ++{ ++ char *ptr, *end; ++ int q = 0; ++ ++ ptr = in->bv_val; ++ end = ptr + in->bv_len; ++ while (ptr < end) { ++ if ( *ptr == '\'' ) ++ q++; ++ ptr++; ++ } ++ if ( q && out ) { ++ char *dst; ++ out->bv_len = in->bv_len + q; ++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx ); ++ ptr = in->bv_val; ++ dst = out->bv_val; ++ while (ptr < end ) { ++ if ( *ptr == '\'' ) ++ *dst++ = '\''; ++ *dst++ = *ptr++; ++ } ++ *dst = '\0'; ++ } ++ return q; ++} ++ + static int + backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad ) + { +@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private; + int i; + int casefold = 0; ++ int escaped = 0; ++ struct berval escval, *fvalue; + + if ( !f ) { + return 0; +@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + + BER_BVZERO( &bv ); + if ( f->f_sub_initial.bv_val ) { +- bv.bv_len += f->f_sub_initial.bv_len; ++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL ); + } + if ( f->f_sub_any != NULL ) { + for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) { +- bv.bv_len += f->f_sub_any[ a ].bv_len; ++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL ); + } + } + if ( f->f_sub_final.bv_val ) { +- bv.bv_len += f->f_sub_final.bv_len; ++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL ); + } + bv.bv_len = 2 * bv.bv_len - 1; + bv.bv_val = ch_malloc( bv.bv_len + 1 ); + + s = 0; + if ( !BER_BVISNULL( &f->f_sub_initial ) ) { +- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) { ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + if ( f->f_sub_any != NULL ) { + for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) { +- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) { ++ fvalue = &f->f_sub_any[ a ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + } + + if ( !BER_BVISNULL( &f->f_sub_final ) ) { +- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) { ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } +- bv.bv_val[ s + 2 * i - 1 ] = '%'; ++ bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + bv.bv_val[ s - 1 ] = '\0'; +@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + f->f_sub_initial.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_initial ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + i, f->f_sub_any[ i ].bv_val ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_any[ i ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "bc", +- &f->f_sub_any[ i ], ++ fvalue, + '%' ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + /* + * Note: toupper('%') = '%' +@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + f->f_sub_final.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_final ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -1183,6 +1253,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r + struct berval *filter_value = NULL; + MatchingRule *matching_rule = NULL; + struct berval ordering = BER_BVC("<="); ++ struct berval escval; ++ int escaped = 0; + + Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); +@@ -1237,6 +1309,10 @@ equality_match:; + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* FIXME: directoryString filtering should use a similar + * approach to deal with non-prettified values like + * " A non prettified value ", by using a LIKE +@@ -1317,6 +1393,10 @@ equality_match:; + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* + * FIXME: should we uppercase the operands? + */ +@@ -1350,7 +1430,7 @@ equality_match:; + &at->bam_sel_expr, + &ordering, + '\'', +- &f->f_av_value, ++ filter_value, + (ber_len_t)STRLENOF( /* (' */ "')" ), + /* ( */ "')" ); + } +@@ -1374,13 +1454,17 @@ equality_match:; + case LDAP_FILTER_APPROX: + /* we do our best */ + ++ filter_value = &f->f_av_value; ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; + /* + * maybe we should check type of at->sel_expr here somehow, + * to know whether upper_func is applicable, but for now + * upper_func stuff is made for Oracle, where UPPER is + * safely applicable to NUMBER etc. + */ +- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value ); ++ (void)backsql_process_filter_like( bsi, at, 1, filter_value ); + break; + + default: +@@ -1394,6 +1478,9 @@ equality_match:; + + } + ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); ++ + Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch new file mode 100644 index 0000000000..f4b4eb95d5 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch @@ -0,0 +1,30 @@ +From 752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 24 Aug 2022 14:40:51 +0100 +Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure + +Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce] +CVE: CVE-2023-2953 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libraries/libldap/fetch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c +index 9e426dc647..536871bcfe 100644 +--- a/libraries/libldap/fetch.c ++++ b/libraries/libldap/fetch.c +@@ -69,6 +69,8 @@ ldif_open_url( + } + + p = ber_strdup( urlstr ); ++ if ( p == NULL ) ++ return NULL; + + /* But we should convert to LDAP_DIRSEP before use */ + if ( LDAP_DIRSEP[0] != '/' ) { +-- +GitLab + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch new file mode 100644 index 0000000000..02c43bc445 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch @@ -0,0 +1,76 @@ +From 6563fab9e2feccb0a684d0398e78571d09fb808b Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 25 Aug 2022 16:13:21 +0100 +Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure + +Avoid unnecessary strdup in IPv6 addr parsing, check for strdup +failure when dup'ing scheme. + +Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59 + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b] +CVE: CVE-2023-2953 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libraries/libldap/url.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c +index dcf2aac9e8..493fd7ce47 100644 +--- a/libraries/libldap/url.c ++++ b/libraries/libldap/url.c +@@ -1385,24 +1385,22 @@ ldap_url_parsehosts( + } + ludp->lud_port = port; + ludp->lud_host = specs[i]; +- specs[i] = NULL; + p = strchr(ludp->lud_host, ':'); + if (p != NULL) { + /* more than one :, IPv6 address */ + if ( strchr(p+1, ':') != NULL ) { + /* allow [address] and [address]:port */ + if ( *ludp->lud_host == '[' ) { +- p = LDAP_STRDUP(ludp->lud_host+1); +- /* copied, make sure we free source later */ +- specs[i] = ludp->lud_host; +- ludp->lud_host = p; +- p = strchr( ludp->lud_host, ']' ); ++ p = strchr( ludp->lud_host+1, ']' ); + if ( p == NULL ) { + LDAP_FREE(ludp); + ldap_charray_free(specs); + return LDAP_PARAM_ERROR; + } +- *p++ = '\0'; ++ /* Truncate trailing ']' and shift hostname down 1 char */ ++ *p = '\0'; ++ AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host ); ++ p++; + if ( *p != ':' ) { + if ( *p != '\0' ) { + LDAP_FREE(ludp); +@@ -1428,14 +1426,19 @@ ldap_url_parsehosts( + } + } + } +- ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_scheme = LDAP_STRDUP("ldap"); ++ if ( ludp->lud_scheme == NULL ) { ++ LDAP_FREE(ludp); ++ ldap_charray_free(specs); ++ return LDAP_NO_MEMORY; ++ } ++ specs[i] = NULL; ++ ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_next = *ludlist; + *ludlist = ludp; + } + + /* this should be an array of NULLs now */ +- /* except entries starting with [ */ + ldap_charray_free(specs); + return LDAP_SUCCESS; + } +-- +GitLab + diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb index a282523a3c..7c2ea7c452 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb @@ -23,8 +23,11 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$ file://thread_stub.patch \ file://openldap-CVE-2015-3276.patch \ file://remove-user-host-pwd-from-version.patch \ + file://CVE-2022-29155.patch \ + file://CVE-2023-2953-1.patch \ + file://CVE-2023-2953-2.patch \ + file://CVE-2021-27212.patch \ " - SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c" SRC_URI[sha256sum] = "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a" diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch new file mode 100644 index 0000000000..74e547298f --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch @@ -0,0 +1,55 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Wed, 21 Jun 2023 12:27:23 +0200 +Subject: Fixed PIN authentication bypass + +If two processes are accessing a token, then one process may leave the +card usable with an authenticated PIN so that a key may sign/decrypt any +data. This is especially the case if the token does not support a way of +resetting the authentication status (logout). + +We have some tracking of the authentication status in software via +PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a +PIN-prompt will appear even though the card may technically be unlocked +as described in the above example. However, before this change, an empty +PIN was not verified (likely yielding an error during PIN-verification), +but it was just checked whether the PIN is authenticated. This defeats +the purpose of the PIN verification, because an empty PIN is not the +correct one. Especially during OS Logon, we don't want that kind of +shortcut, but we want the user to verify the correct PIN (even though +the token was left unattended and authentication at the computer). + +This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864. + +CVE: CVE-2023-40660 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/940e8bc764047c873f88bb1396933a5368d03533] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + src/libopensc/pkcs15-pin.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c +index 80a185fecd..393234efe4 100644 +--- a/src/libopensc/pkcs15-pin.c ++++ b/src/libopensc/pkcs15-pin.c +@@ -307,19 +307,6 @@ + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); + auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; + +- /* +- * if pin cache is disabled, we can get here with no PIN data. +- * in this case, to avoid error or unnecessary pin prompting on pinpad, +- * check if the PIN has been already verified and the access condition +- * is still open on card. +- */ +- if (pinlen == 0) { +- r = sc_pkcs15_get_pin_info(p15card, pin_obj); +- +- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN) +- LOG_FUNC_RETURN(ctx, r); +- } +- + r = _validate_pin(p15card, auth_info, pinlen); + + if (r) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch new file mode 100644 index 0000000000..3ecff558cf --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch @@ -0,0 +1,47 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 17 Aug 2023 13:54:42 +0200 +Subject: pkcs15: Avoid buffer overflow when getting last update + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 + +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. + +--- + src/libopensc/pkcs15.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c +index eb7fc6afcd..4215b733a8 100644 +--- a/src/libopensc/pkcs15.c ++++ b/src/libopensc/pkcs15.c +@@ -528,7 +528,7 @@ + struct sc_context *ctx = p15card->card->ctx; + struct sc_file *file = NULL; + struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE]; +- unsigned char *content, last_update[32]; ++ unsigned char *content, last_update[32] = {0}; + size_t lupdate_len = sizeof(last_update) - 1; + int r, content_len; + size_t size; +@@ -564,9 +564,11 @@ + if (r < 0) + return NULL; + +- p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); +- if (!p15card->tokeninfo->last_update.gtime) +- return NULL; ++ if (asn1_last_update[0].flags & SC_ASN1_PRESENT) { ++ p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); ++ if (!p15card->tokeninfo->last_update.gtime) ++ return NULL; ++ } + done: + sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime); + return p15card->tokeninfo->last_update.gtime; + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch new file mode 100644 index 0000000000..39e729c5a9 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch @@ -0,0 +1,32 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 17 Aug 2023 13:41:36 +0200 +Subject: setcos: Avoid buffer underflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-setcos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c +index 1b56afe6d9..1907b47f9d 100644 +--- a/src/pkcs15init/pkcs15-setcos.c ++++ b/src/pkcs15init/pkcs15-setcos.c +@@ -346,6 +346,10 @@ + + /* Replace the path of instantiated key template by the path from the object data. */ + memcpy(&file->path, &key_info->path, sizeof(file->path)); ++ if (file->path.len < 2) { ++ sc_file_free(file); ++ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path"); ++ } + file->id = file->path.value[file->path.len - 2] * 0x100 + + file->path.value[file->path.len - 1]; + + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch new file mode 100644 index 0000000000..7950cf91df --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch @@ -0,0 +1,31 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e +From: Jakub Jelen <jjelen@redhat.com> +Date: Wed, 20 Sep 2023 10:13:57 +0200 +Subject: oberthur: Avoid buffer overflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-oberthur.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c +index ad2cabd530..c441ab1e76 100644 +--- a/src/pkcs15init/pkcs15-oberthur.c ++++ b/src/pkcs15init/pkcs15-oberthur.c +@@ -688,6 +688,9 @@ + if (object->type != SC_PKCS15_TYPE_PRKEY_RSA) + LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported"); + ++ if (key_info->path.len < 2) ++ LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long"); ++ + sc_log(ctx, "create private key ID:%s", sc_pkcs15_print_id(&key_info->id)); + /* Here, the path of private key file should be defined. + * Nevertheless, we need to instantiate private key to get the ACLs. */ + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch new file mode 100644 index 0000000000..797f8ad3b1 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch @@ -0,0 +1,28 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec +From: Frank Morgner <frankmorgner@gmail.com> +Date: Thu, 8 Dec 2022 00:27:18 +0100 +Subject: sc_pkcs15init_rmdir: prevent out of bounds write + +fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index 91cee37310..3df03c6e1f 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -666,6 +666,8 @@ + + path = df->path; + path.len += 2; ++ if (path.len > SC_MAX_PATH_SIZE) ++ return SC_ERROR_INTERNAL; + + nfids = r / 2; + while (r >= 0 && nfids--) { + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch new file mode 100644 index 0000000000..e173e65575 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch @@ -0,0 +1,30 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/c449a181a6988cc1e8dc8764d23574e48cdc3fa6 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> +Date: Mon, 19 Jun 2023 16:14:51 +0200 +Subject: pkcs15-cflex: check path length to prevent underflow + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-cflex.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c +index d06568073d..ce1d48e62c 100644 +--- a/src/pkcs15init/pkcs15-cflex.c ++++ b/src/pkcs15init/pkcs15-cflex.c +@@ -56,6 +56,9 @@ + int r = 0; + /* Select the parent DF */ + path = df->path; ++ if (path.len < 2) { ++ return SC_ERROR_INVALID_ARGUMENTS; ++ } + path.len -= 2; + r = sc_select_file(p15card->card, &path, &parent); + if (r < 0) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch new file mode 100644 index 0000000000..abb524de29 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch @@ -0,0 +1,30 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 +From: Veronika Hanulikova <xhanulik@fi.muni.cz> +Date: Fri, 10 Feb 2023 11:47:34 +0100 +Subject: Check array bounds + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/libopensc/muscle.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c +index 61a4ec24d8..9d01e0c113 100644 +--- a/src/libopensc/muscle.c ++++ b/src/libopensc/muscle.c +@@ -183,6 +183,9 @@ + sc_apdu_t apdu; + int r; + ++ if (dataLength + 9 > MSC_MAX_APDU) ++ return SC_ERROR_INVALID_ARGUMENTS; ++ + sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00); + apdu.lc = dataLength + 9; + if (card->ctx->debug >= 2) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch new file mode 100644 index 0000000000..858a996ed7 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch @@ -0,0 +1,40 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/5631e9843c832a99769def85b7b9b68b4e3e3959 +From: Veronika Hanulikova <xhanulik@fi.muni.cz> +Date: Fri, 3 Mar 2023 16:07:38 +0100 +Subject: Check length of string before making copy + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/profile.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c +index 2b793b0282..3bad1e8536 100644 +--- a/src/pkcs15init/profile.c ++++ b/src/pkcs15init/profile.c +@@ -1465,6 +1465,8 @@ + while (argc--) { + unsigned int op, method, id; + ++ if (strlen(*argv) >= sizeof(oper)) ++ goto bad; + strlcpy(oper, *argv++, sizeof(oper)); + if ((what = strchr(oper, '=')) == NULL) + goto bad; +@@ -2128,6 +2130,9 @@ + return get_uint(cur, value, type); + } + ++ if (strlen(value) >= sizeof(temp)) ++ return 1; ++ + n = strcspn(value, "0123456789x"); + strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp)); + + diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb index a815980c4f..3eb0c1e558 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb @@ -13,7 +13,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" #v0.19.0 SRCREV = "45e29056ccde422e70ed3585084a7f150c632515" -SRC_URI = "git://github.com/OpenSC/OpenSC \ +SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ + file://CVE-2023-40660.patch \ + file://CVE-2023-40661-1.patch \ + file://CVE-2023-40661-2.patch \ + file://CVE-2023-40661-3.patch \ + file://CVE-2023-40661-4.patch \ + file://CVE-2023-40661-5.patch \ + file://CVE-2023-40661-6.patch \ + file://CVE-2023-40661-7.patch \ " DEPENDS = "virtual/libiconv openssl" diff --git a/meta-oe/recipes-support/picocom/picocom_git.bb b/meta-oe/recipes-support/picocom/picocom_git.bb index 3d26b9364b..801300e707 100644 --- a/meta-oe/recipes-support/picocom/picocom_git.bb +++ b/meta-oe/recipes-support/picocom/picocom_git.bb @@ -9,7 +9,7 @@ PV = "${BASEPV}+git${SRCPV}" SRCREV = "90385aabe2b51f39fa130627d46b377569f82d4a" -SRC_URI = "git://github.com/npat-efault/picocom \ +SRC_URI = "git://github.com/npat-efault/picocom;branch=master;protocol=https \ file://0001-Fix-building-with-musl.patch \ " diff --git a/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb b/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb index 3a437659e7..0e3e5ff733 100644 --- a/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb +++ b/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb @@ -7,7 +7,7 @@ DEPENDS = "pidgin json-glib glib-2.0" inherit pkgconfig -SRC_URI = "git://github.com/EionRobb/funyahoo-plusplus;branch=master;protocol=git" +SRC_URI = "git://github.com/EionRobb/funyahoo-plusplus;branch=master;protocol=https" SRCREV = "fbbd9c591100aa00a0487738ec7b6acd3d924b3f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/pidgin/icyque_git.bb b/meta-oe/recipes-support/pidgin/icyque_git.bb index 0f32dc3a39..2905e16fcc 100644 --- a/meta-oe/recipes-support/pidgin/icyque_git.bb +++ b/meta-oe/recipes-support/pidgin/icyque_git.bb @@ -9,7 +9,7 @@ PV = "0.1+gitr${SRCPV}" inherit pkgconfig -SRC_URI = "git://github.com/EionRobb/icyque" +SRC_URI = "git://github.com/EionRobb/icyque;branch=master;protocol=https" SRCREV = "513fc162d5d1a201c2b044e2b42941436d1069d5" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb b/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb index 092e6059b8..854920d2ee 100644 --- a/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb +++ b/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb @@ -7,7 +7,7 @@ DEPENDS = "pidgin json-glib glib-2.0 zlib" inherit pkgconfig -SRC_URI = "git://github.com/EionRobb/skype4pidgin;branch=master;protocol=git" +SRC_URI = "git://github.com/EionRobb/skype4pidgin;branch=master;protocol=https" SRCREV = "14f1b69b6292bbdc98cca484b050ec8359394c4e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/poco/poco_1.9.4.bb b/meta-oe/recipes-support/poco/poco_1.9.4.bb index fcd5219759..1c3a4ebb03 100644 --- a/meta-oe/recipes-support/poco/poco_1.9.4.bb +++ b/meta-oe/recipes-support/poco/poco_1.9.4.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=4267f48fc738f50380cbeeb76f95cebc" DEPENDS = "libpcre zlib" SRC_URI = " \ - git://github.com/pocoproject/poco.git;branch=poco-${PV} \ + git://github.com/pocoproject/poco.git;branch=poco-${PV};protocol=https \ file://0001-Don-t-try-to-install-non-existing-Encodings-testsuit.patch \ file://0001-riscv-Enable-double-operations-when-using-double-flo.patch \ file://run-ptest \ diff --git a/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb b/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb index c8baa5d9ca..5b53587745 100644 --- a/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb +++ b/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRCREV = "cb48b7ecf7079ceba7081c78d4e61e507b0e8d2d" -SRC_URI = "git://github.com/ago/pps-tools.git" +SRC_URI = "git://github.com/ago/pps-tools.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/remmina/remmina_1.3.6.bb b/meta-oe/recipes-support/remmina/remmina_1.3.6.bb index 1c2f270e32..3b1e8706ce 100644 --- a/meta-oe/recipes-support/remmina/remmina_1.3.6.bb +++ b/meta-oe/recipes-support/remmina/remmina_1.3.6.bb @@ -10,7 +10,7 @@ DEPENDS_append_libc-musl = " libexecinfo" LDFLAGS_append_libc-musl = " -lexecinfo" SRCREV = "cc391370d8b4c07597617e0a771a9732f0802411" -SRC_URI = "git://gitlab.com/Remmina/Remmina;protocol=https \ +SRC_URI = "git://gitlab.com/Remmina/Remmina;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb b/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb index 33f5dccca2..6fe8aa76f2 100644 --- a/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb +++ b/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb @@ -25,7 +25,7 @@ RDEPENDS_${PN} = "rsync \ SRCREV = "a9e29850fc33c503c289e245c7bad350eed746d9" PV = "1.4.3+git${SRCPV}" -SRC_URI = "git://github.com/DrHyde/${BPN};branch=master;protocol=git \ +SRC_URI = "git://github.com/DrHyde/${BPN};branch=master;protocol=https \ file://configure-fix-cmd_rsync.patch \ " diff --git a/meta-oe/recipes-support/sass/libsass_3.6.3.bb b/meta-oe/recipes-support/sass/libsass_3.6.3.bb index d893be2231..4b4fe55669 100644 --- a/meta-oe/recipes-support/sass/libsass_3.6.3.bb +++ b/meta-oe/recipes-support/sass/libsass_3.6.3.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8f34396ca205f5e119ee77aae91fa27d" inherit autotools -SRC_URI = "git://github.com/sass/libsass.git;branch=master" +SRC_URI = "git://github.com/sass/libsass.git;branch=master;protocol=https" SRCREV = "e1c16e09b4a953757a15149deaaf28a3fd81dc97" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/sass/sassc_git.bb b/meta-oe/recipes-support/sass/sassc_git.bb index 3c7a55cc3d..985d519f93 100644 --- a/meta-oe/recipes-support/sass/sassc_git.bb +++ b/meta-oe/recipes-support/sass/sassc_git.bb @@ -6,7 +6,7 @@ DEPENDS = "libsass" inherit autotools pkgconfig -SRC_URI = "git://github.com/sass/sassc.git" +SRC_URI = "git://github.com/sass/sassc.git;branch=master;protocol=https" SRCREV = "46748216ba0b60545e814c07846ca10c9fefc5b6" S = "${WORKDIR}/git" PV = "3.6.1" diff --git a/meta-oe/recipes-support/satyr/satyr_0.28.bb b/meta-oe/recipes-support/satyr/satyr_0.28.bb index fbf018d7f5..a928681ae8 100644 --- a/meta-oe/recipes-support/satyr/satyr_0.28.bb +++ b/meta-oe/recipes-support/satyr/satyr_0.28.bb @@ -7,7 +7,7 @@ LICENSE = "GPLv2" inherit autotools-brokensep python3native pkgconfig -SRC_URI = "git://github.com/abrt/satyr.git \ +SRC_URI = "git://github.com/abrt/satyr.git;branch=master;protocol=https \ file://0002-fix-compile-failure-against-musl-C-library.patch \ " SRCREV = "8b5547b89b712b39a59f1d8b366e7de0f5f46108" diff --git a/meta-oe/recipes-support/serial-utils/pty-forward-native.bb b/meta-oe/recipes-support/serial-utils/pty-forward-native.bb index 7f59b3ecad..87d9c52903 100644 --- a/meta-oe/recipes-support/serial-utils/pty-forward-native.bb +++ b/meta-oe/recipes-support/serial-utils/pty-forward-native.bb @@ -6,7 +6,7 @@ SECTION = "console/network" SRCREV = "00dbec2636ae0385ad028587e20e446272ff97ec" PV = "1.1+gitr${SRCPV}" -SRC_URI = "git://github.com/freesmartphone/cornucopia.git;protocol=https" +SRC_URI = "git://github.com/freesmartphone/cornucopia.git;protocol=https;branch=master" S = "${WORKDIR}/git/tools/serial_forward" inherit autotools native diff --git a/meta-oe/recipes-support/serial-utils/serial-forward_git.bb b/meta-oe/recipes-support/serial-utils/serial-forward_git.bb index 0ef829856c..dcad8f7104 100644 --- a/meta-oe/recipes-support/serial-utils/serial-forward_git.bb +++ b/meta-oe/recipes-support/serial-utils/serial-forward_git.bb @@ -6,7 +6,7 @@ SECTION = "console/devel" SRCREV = "07c6fdede0870edc37a8d51d033b6e7e29aa7c91" PV = "1.1+gitr${SRCPV}" -SRC_URI = "git://github.com/freesmartphone/cornucopia.git \ +SRC_URI = "git://github.com/freesmartphone/cornucopia.git;branch=master;protocol=https \ file://0001-serial_forward-Disable-default-static-linking.patch;striplevel=3 \ " S = "${WORKDIR}/git/tools/serial_forward" diff --git a/meta-oe/recipes-support/span-lite/span-lite_git.bb b/meta-oe/recipes-support/span-lite/span-lite_git.bb index 96ec829b74..abb3ec2f36 100644 --- a/meta-oe/recipes-support/span-lite/span-lite_git.bb +++ b/meta-oe/recipes-support/span-lite/span-lite_git.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/martinmoene/span-lite" LICENSE = "BSL-1.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c" -SRC_URI += "git://github.com/martinmoene/span-lite" +SRC_URI += "git://github.com/martinmoene/span-lite;branch=master;protocol=https" SRCREV = "e03d1166ccc8481d993dc02aae703966301a5e6e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb b/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb index 39629cce0d..9294d1a70e 100644 --- a/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb +++ b/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" SRCREV = "cf6f1dd01e660d5865d68bf5fa78f6376b89470a" -SRC_URI = "git://github.com/gabime/spdlog.git;protocol=git;branch=v1.x;" +SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x;" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/spitools/spitools_git.bb b/meta-oe/recipes-support/spitools/spitools_git.bb index 625756873b..b9ed1bcd7b 100644 --- a/meta-oe/recipes-support/spitools/spitools_git.bb +++ b/meta-oe/recipes-support/spitools/spitools_git.bb @@ -10,7 +10,7 @@ SRCREV = "4a36a84f7df291ddaebd397aecf0c8515256a8e0" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/cpb-/spi-tools.git;protocol=git" +SRC_URI = "git://github.com/cpb-/spi-tools.git;protocol=https;branch=master" inherit autotools diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch new file mode 100644 index 0000000000..4a09c8c7fa --- /dev/null +++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch @@ -0,0 +1,629 @@ +From 73b5c300b8fde5e7a4824baa83a04931279abb37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= + <laszlo.varady@protonmail.com> +Date: Sat, 20 Aug 2022 12:42:38 +0200 +Subject: [PATCH] CVE-2022-38725 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: László Várady <laszlo.varady@protonmail.com> +Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> + +Upstream-Status: Backport from [https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8 && https://github.com/syslog-ng/syslog-ng/commit/81a07263f1e522a376d3a30f96f51df3f2879f8a && https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d && https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37 && https://github.com/syslog-ng/syslog-ng/commit/45f051239312e43bd4f92b9339fe67c6798a0321 && https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4 && https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 && https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d] +CVE: CVE-2022-38725 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/timeutils/scan-timestamp.c | 68 +++++---- + lib/timeutils/tests/test_scan-timestamp.c | 133 ++++++++++++++++-- + modules/syslogformat/CMakeLists.txt | 2 + + modules/syslogformat/Makefile.am | 2 + + modules/syslogformat/syslog-format.c | 12 +- + modules/syslogformat/tests/CMakeLists.txt | 1 + + modules/syslogformat/tests/Makefile.am | 9 ++ + .../syslogformat/tests/test_syslog_format.c | 104 ++++++++++++++ + 8 files changed, 284 insertions(+), 47 deletions(-) + create mode 100644 modules/syslogformat/tests/CMakeLists.txt + create mode 100644 modules/syslogformat/tests/Makefile.am + create mode 100644 modules/syslogformat/tests/test_syslog_format.c + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index 41ead1a..ec9746b 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -34,41 +34,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday) + { + *wday = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'S': +- if (strncasecmp(*buf, "Sun", 3) == 0) ++ if (strncasecmp(*buf, "Sun", abbrev_length) == 0) + *wday = 0; +- else if (strncasecmp(*buf, "Sat", 3) == 0) ++ else if (strncasecmp(*buf, "Sat", abbrev_length) == 0) + *wday = 6; + break; + case 'M': +- if (strncasecmp(*buf, "Mon", 3) == 0) ++ if (strncasecmp(*buf, "Mon", abbrev_length) == 0) + *wday = 1; + break; + case 'T': +- if (strncasecmp(*buf, "Tue", 3) == 0) ++ if (strncasecmp(*buf, "Tue", abbrev_length) == 0) + *wday = 2; +- else if (strncasecmp(*buf, "Thu", 3) == 0) ++ else if (strncasecmp(*buf, "Thu", abbrev_length) == 0) + *wday = 4; + break; + case 'W': +- if (strncasecmp(*buf, "Wed", 3) == 0) ++ if (strncasecmp(*buf, "Wed", abbrev_length) == 0) + *wday = 3; + break; + case 'F': +- if (strncasecmp(*buf, "Fri", 3) == 0) ++ if (strncasecmp(*buf, "Fri", abbrev_length) == 0) + *wday = 5; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -77,57 +79,59 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon) + { + *mon = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'J': +- if (strncasecmp(*buf, "Jan", 3) == 0) ++ if (strncasecmp(*buf, "Jan", abbrev_length) == 0) + *mon = 0; +- else if (strncasecmp(*buf, "Jun", 3) == 0) ++ else if (strncasecmp(*buf, "Jun", abbrev_length) == 0) + *mon = 5; +- else if (strncasecmp(*buf, "Jul", 3) == 0) ++ else if (strncasecmp(*buf, "Jul", abbrev_length) == 0) + *mon = 6; + break; + case 'F': +- if (strncasecmp(*buf, "Feb", 3) == 0) ++ if (strncasecmp(*buf, "Feb", abbrev_length) == 0) + *mon = 1; + break; + case 'M': +- if (strncasecmp(*buf, "Mar", 3) == 0) ++ if (strncasecmp(*buf, "Mar", abbrev_length) == 0) + *mon = 2; +- else if (strncasecmp(*buf, "May", 3) == 0) ++ else if (strncasecmp(*buf, "May", abbrev_length) == 0) + *mon = 4; + break; + case 'A': +- if (strncasecmp(*buf, "Apr", 3) == 0) ++ if (strncasecmp(*buf, "Apr", abbrev_length) == 0) + *mon = 3; +- else if (strncasecmp(*buf, "Aug", 3) == 0) ++ else if (strncasecmp(*buf, "Aug", abbrev_length) == 0) + *mon = 7; + break; + case 'S': +- if (strncasecmp(*buf, "Sep", 3) == 0) ++ if (strncasecmp(*buf, "Sep", abbrev_length) == 0) + *mon = 8; + break; + case 'O': +- if (strncasecmp(*buf, "Oct", 3) == 0) ++ if (strncasecmp(*buf, "Oct", abbrev_length) == 0) + *mon = 9; + break; + case 'N': +- if (strncasecmp(*buf, "Nov", 3) == 0) ++ if (strncasecmp(*buf, "Nov", abbrev_length) == 0) + *mon = 10; + break; + case 'D': +- if (strncasecmp(*buf, "Dec", 3) == 0) ++ if (strncasecmp(*buf, "Dec", abbrev_length) == 0) + *mon = 11; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -302,7 +306,7 @@ __parse_usec(const guchar **data, gint *length) + src++; + (*length)--; + } +- while (isdigit(*src)) ++ while (*length > 0 && isdigit(*src)) + { + src++; + (*length)--; +@@ -316,19 +320,21 @@ __parse_usec(const guchar **data, gint *length) + static gboolean + __has_iso_timezone(const guchar *src, gint length) + { +- return (length >= 5) && ++ return (length >= 6) && + (*src == '+' || *src == '-') && + isdigit(*(src+1)) && + isdigit(*(src+2)) && + *(src+3) == ':' && + isdigit(*(src+4)) && + isdigit(*(src+5)) && +- !isdigit(*(src+6)); ++ (length < 7 || !isdigit(*(src+6))); + } + + static guint32 + __parse_iso_timezone(const guchar **data, gint *length) + { ++ g_assert(*length >= 6); ++ + gint hours, mins; + const guchar *src = *data; + guint32 tz = 0; +@@ -338,8 +344,10 @@ __parse_iso_timezone(const guchar **data, gint *length) + hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0'; + mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0'; + tz = sign * (hours * 3600 + mins * 60); ++ + src += 6; + (*length) -= 6; ++ + *data = src; + return tz; + } +@@ -393,7 +401,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, WallClockTime *wct) + if (!scan_pix_timestamp((const gchar **) &src, &left, wct)) + return FALSE; + +- if (*src == ':') ++ if (left && *src == ':') + { + src++; + left--; +@@ -444,7 +452,7 @@ scan_rfc3164_timestamp(const guchar **data, gint *length, WallClockTime *wct) + * looking at you, skip that as well, so we can reliably detect IPv6 + * addresses as hostnames, which would be using ":" as well. */ + +- if (*src == ':') ++ if (left && *src == ':') + { + ++src; + --left; +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index 4508139..ad657c6 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -49,17 +49,21 @@ fake_time_add(time_t diff) + } + + static gboolean +-_parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc3164(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + +- ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc3164_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -70,16 +74,21 @@ _parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc5424(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc5424_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -90,31 +99,60 @@ _parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_rfc3164_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc3164_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc3164(ts, converted)); ++ cr_assert(_parse_rfc3164(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + static gboolean +-_rfc5424_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc5424_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc5424(ts, converted)); ++ cr_assert(_parse_rfc5424(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + #define _expect_rfc3164_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc3164_timestamp_eq(ts, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc3164_timestamp_eq(ts, -1, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc3164_timestamp_eq(ts, len, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc3164_timestamp(&data, &length, &wct)); \ + }) + + #define _expect_rfc5424_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc5424_timestamp_eq(ts, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc5424_timestamp_eq(ts, -1, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc5424_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc5424_timestamp_eq(ts, len, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ + }) + ++#define _expect_rfc5424_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc5424_timestamp(&data, &length, &wct)); \ ++ }) ++ ++ + Test(parse_timestamp, standard_bsd_format) + { + _expect_rfc3164_timestamp_eq("Oct 1 17:46:12", "2017-10-01T17:46:12.000+02:00"); +@@ -148,6 +186,75 @@ Test(parse_timestamp, standard_bsd_format_year_in_the_past) + _expect_rfc3164_timestamp_eq("Dec 31 17:46:12", "2017-12-31T17:46:12.000+01:00"); + } + ++Test(parse_timestamp, non_zero_terminated_rfc3164_iso_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc3164_bsd_pix_or_asa_input_is_handled_properly) ++{ ++ gchar *ts = "Aug 17 2022 05:02:28: whatever"; ++ gint ts_len = 21; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.000+02:00"); ++ ++ /* no ":" at the end, that's a problem, unrecognized */ ++ _expect_rfc3164_fails(ts, ts_len - 1); ++ ++ for (gint i = 1; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc5424_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc5424_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only) ++{ ++ const gchar *ts = "2022-08-17T05:02:28.417+03:00"; ++ gint ts_len = strlen(ts); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts); ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { +diff --git a/modules/syslogformat/CMakeLists.txt b/modules/syslogformat/CMakeLists.txt +index fb55ea4..a2a92bb 100644 +--- a/modules/syslogformat/CMakeLists.txt ++++ b/modules/syslogformat/CMakeLists.txt +@@ -24,4 +24,6 @@ target_include_directories(syslogformat + ) + target_link_libraries(syslogformat PRIVATE syslog-ng) + ++add_test_subdirectory(tests) ++ + install(TARGETS syslogformat LIBRARY DESTINATION lib/syslog-ng/) +diff --git a/modules/syslogformat/Makefile.am b/modules/syslogformat/Makefile.am +index f13f88c..14cdf58 100644 +--- a/modules/syslogformat/Makefile.am ++++ b/modules/syslogformat/Makefile.am +@@ -31,3 +31,5 @@ modules_syslogformat_libsyslogformat_la_DEPENDENCIES = \ + modules/syslogformat modules/syslogformat/ mod-syslogformat: \ + modules/syslogformat/libsyslogformat.la + .PHONY: modules/syslogformat/ mod-syslogformat ++ ++include modules/syslogformat/tests/Makefile.am +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index 6d53a32..a69f39f 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -200,7 +200,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + + /* if the next char is not space, then we may try to read a date */ + +- if (*src != ' ') ++ if (!left || *src != ' ') + return; + + log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1); +@@ -216,6 +216,9 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data, + const guchar *src = *data; + gint left = *length; + ++ if (!left) ++ return; ++ + /* Cisco timestamp extensions, the first '*' indicates that the clock is + * unsynced, '.' if it is known to be synced */ + if (G_UNLIKELY(src[0] == '*')) +@@ -564,7 +567,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + open_sd++; + do + { +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + /* read sd_id */ + pos = 0; +@@ -598,7 +601,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + strcpy(sd_value_name, logmsg_sd_prefix); + /* this strcat is safe, as sd_id_name is at most 32 chars */ + strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len); +- if (*src == ']') ++ ++ if (left && *src == ']') + { + log_msg_set_value_by_name(self, sd_value_name, "", 0); + } +@@ -615,7 +619,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + else + goto error; + +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + + /* read sd-param */ +diff --git a/modules/syslogformat/tests/CMakeLists.txt b/modules/syslogformat/tests/CMakeLists.txt +new file mode 100644 +index 0000000..2e45b71 +--- /dev/null ++++ b/modules/syslogformat/tests/CMakeLists.txt +@@ -0,0 +1 @@ ++add_unit_test(CRITERION TARGET test_syslog_format DEPENDS syslogformat) +diff --git a/modules/syslogformat/tests/Makefile.am b/modules/syslogformat/tests/Makefile.am +new file mode 100644 +index 0000000..7ee66a5 +--- /dev/null ++++ b/modules/syslogformat/tests/Makefile.am +@@ -0,0 +1,9 @@ ++modules_syslogformat_tests_TESTS = \ ++ modules/syslogformat/tests/test_syslog_format ++ ++check_PROGRAMS += ${modules_syslogformat_tests_TESTS} ++ ++EXTRA_DIST += modules/syslogformat/tests/CMakeLists.txt ++ ++modules_syslogformat_tests_test_syslog_format_CFLAGS = $(TEST_CFLAGS) -I$(top_srcdir)/modules/syslogformat ++modules_syslogformat_tests_test_syslog_format_LDADD = $(TEST_LDADD) $(PREOPEN_SYSLOGFORMAT) +diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c +new file mode 100644 +index 0000000..d0f5b40 +--- /dev/null ++++ b/modules/syslogformat/tests/test_syslog_format.c +@@ -0,0 +1,104 @@ ++/* ++ * Copyright (c) 2022 One Identity ++ * Copyright (c) 2022 László Várady ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 as published ++ * by the Free Software Foundation, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ * As an additional exemption you are allowed to compile & link against the ++ * OpenSSL libraries as published by the OpenSSL project. See the file ++ * COPYING for details. ++ * ++ */ ++ ++#include <criterion/criterion.h> ++ ++#include "apphook.h" ++#include "cfg.h" ++#include "syslog-format.h" ++#include "logmsg/logmsg.h" ++#include "msg-format.h" ++#include "scratch-buffers.h" ++ ++#include <string.h> ++ ++GlobalConfig *cfg; ++MsgFormatOptions parse_options; ++ ++static void ++setup(void) ++{ ++ app_startup(); ++ syslog_format_init(); ++ ++ cfg = cfg_new_snippet(); ++ msg_format_options_defaults(&parse_options); ++} ++ ++static void ++teardown(void) ++{ ++ scratch_buffers_explicit_gc(); ++ app_shutdown(); ++ cfg_free(cfg); ++} ++ ++TestSuite(syslog_format, .init = setup, .fini = teardown); ++ ++Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeout = 10) ++{ ++ const gchar *data = "<182>2022-08-17T05:02:28.217 mymachine su: 'su root' failed for lonvick on /dev/pts/8"; ++ /* chosen carefully to reproduce a bug */ ++ gsize data_length = 27; ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, cisco_sequence_id_non_zero_termination) ++{ ++ const gchar *data = "<189>65536: "; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, ".SDATA.meta.sequenceId", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, minimal_non_zero_terminated_numeric_message_is_parsed_as_program_name) ++{ ++ const gchar *data = "<189>65536"; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, "PROGRAM", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} +-- +2.25.1 + diff --git a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb index 10bf00fdce..6e90dabd14 100644 --- a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb +++ b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb @@ -9,6 +9,7 @@ SRC_URI += " \ file://0001-syslog-ng-fix-segment-fault-during-service-start.patch \ file://shebang.patch \ file://syslog-ng-tmp.conf \ + file://CVE-2022-38725.patch \ " SRC_URI[md5sum] = "ef9de066793f7358af7312b964ac0450" diff --git a/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb b/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb index 9f89bac22a..5bcbea4600 100644 --- a/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb +++ b/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb @@ -7,7 +7,7 @@ SECTION = "devel" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/jthornber/thin-provisioning-tools \ +SRC_URI = "git://github.com/jthornber/thin-provisioning-tools;branch=main;protocol=https \ file://0001-do-not-strip-pdata_tools-at-do_install.patch \ file://use-sh-on-path.patch \ " diff --git a/meta-oe/recipes-support/toscoterm/toscoterm_git.bb b/meta-oe/recipes-support/toscoterm/toscoterm_git.bb index aba485e1a4..4dddd54c5f 100644 --- a/meta-oe/recipes-support/toscoterm/toscoterm_git.bb +++ b/meta-oe/recipes-support/toscoterm/toscoterm_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://main.c;start_line=5;end_line=16;md5=9ae4bf20caf291afa # 0.2 version SRCREV = "8586d617aed19fc75f5ae1e07270752c1b2f9a30" -SRC_URI = "git://github.com/OSSystems/toscoterm.git" +SRC_URI = "git://github.com/OSSystems/toscoterm.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch new file mode 100644 index 0000000000..0189833b49 --- /dev/null +++ b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch @@ -0,0 +1,63 @@ +From 2517b8feb13919c382e53ab5f9b63c5b5ee5b063 Mon Sep 17 00:00:00 2001 +From: Emilio Pozuelo Monfort <pochu@debian.org> +Date: Fri, 5 Nov 2021 09:29:13 +0100 +Subject: [PATCH] udisks2 security update + +mount options: Always use errors=remount-ro for ext filesystems + +Stefan Walter found that udisks2, a service to access and manipulate +storage devices, could cause denial of service via system crash if a +corrupted or specially crafted ext2/3/4 device or image was mounted, +which could happen automatically on certain environments. + +For Debian 9 stretch, this problem has been fixed in version +2.1.8-1+deb9u1. + +Default mount options are focused primarily on data safety, mounting +damaged ext2/3/4 filesystem as readonly would indicate something's wrong. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/u/udisks2/udisks2_2.1.8-1+deb9u1.debian.tar.xz] +CVE: CVE-2021-3802 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/udiskslinuxfilesystem.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/udiskslinuxfilesystem.c b/src/udiskslinuxfilesystem.c +index a5a3898c..eac8cab3 100644 +--- a/src/udiskslinuxfilesystem.c ++++ b/src/udiskslinuxfilesystem.c +@@ -421,6 +421,21 @@ static const gchar *hfsplus_allow[] = { "creator", "type", "umask", "session", " + static const gchar *hfsplus_allow_uid_self[] = { "uid", NULL }; + static const gchar *hfsplus_allow_gid_self[] = { "gid", NULL }; + ++/* ---------------------- ext2 -------------------- */ ++ ++static const gchar *ext2_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext2_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext3 -------------------- */ ++ ++static const gchar *ext3_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext3_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext4 -------------------- */ ++ ++static const gchar *ext4_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext4_allow[] = { "errors=remount-ro", NULL }; ++ + /* ------------------------------------------------ */ + /* TODO: support context= */ + +@@ -434,6 +449,9 @@ static const FSMountOptions fs_mount_options[] = + { "udf", udf_defaults, udf_allow, udf_allow_uid_self, udf_allow_gid_self }, + { "exfat", exfat_defaults, exfat_allow, exfat_allow_uid_self, exfat_allow_gid_self }, + { "hfsplus", hfsplus_defaults, hfsplus_allow, hfsplus_allow_uid_self, hfsplus_allow_gid_self }, ++ { "ext2", ext2_defaults, ext2_allow, NULL, NULL }, ++ { "ext3", ext3_defaults, ext3_allow, NULL, NULL }, ++ { "ext4", ext4_defaults, ext4_allow, NULL, NULL }, + }; + + /* ------------------------------------------------ */ diff --git a/meta-oe/recipes-support/udisks/udisks2_git.bb b/meta-oe/recipes-support/udisks/udisks2_git.bb index ecaf01e71d..58c8a9899a 100644 --- a/meta-oe/recipes-support/udisks/udisks2_git.bb +++ b/meta-oe/recipes-support/udisks/udisks2_git.bb @@ -17,7 +17,8 @@ DEPENDS += "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" RDEPENDS_${PN} = "acl" SRC_URI = " \ - git://github.com/storaged-project/udisks.git;branch=master \ + git://github.com/storaged-project/udisks.git;branch=master;protocol=https \ + file://CVE-2021-3802.patch \ " PV = "2.8.4+git${SRCREV}" SRCREV = "db5f487345da2eaa87976450ea51c2c465d9b82e" diff --git a/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb b/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb index b294d77bad..0bb48412a9 100644 --- a/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb +++ b/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb @@ -7,7 +7,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRCREV = "c9fa3c68a1b2c9790c731602b8bae2b513e80605" -SRC_URI = "git://github.com/mvp/${BPN}" +SRC_URI = "git://github.com/mvp/${BPN};branch=master;protocol=https" S = "${WORKDIR}/git" # uhubctl gets its program version from "git describe". As we use the source diff --git a/meta-oe/recipes-support/uthash/uthash_2.1.0.bb b/meta-oe/recipes-support/uthash/uthash_2.1.0.bb index 09cef44a85..3f4529e1a0 100644 --- a/meta-oe/recipes-support/uthash/uthash_2.1.0.bb +++ b/meta-oe/recipes-support/uthash/uthash_2.1.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a2513f7d2291df840527b76b2a8f9718" SRCREV = "8b214aefcb81df86a7e5e0d4fa20e59a6c18bc02" SRC_URI = "\ - git://github.com/troydhanson/${BPN}.git \ + git://github.com/troydhanson/${BPN}.git;branch=master;protocol=https \ file://run-ptest \ " diff --git a/meta-oe/recipes-support/utouch/utouch-evemu_git.bb b/meta-oe/recipes-support/utouch/utouch-evemu_git.bb index 7c5a734394..e1ec1fda8b 100644 --- a/meta-oe/recipes-support/utouch/utouch-evemu_git.bb +++ b/meta-oe/recipes-support/utouch/utouch-evemu_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" inherit autotools -SRC_URI = "git://bitmath.org/git/evemu.git;protocol=http \ +SRC_URI = "git://bitmath.org/git/evemu.git;protocol=http;branch=master \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ " SRCREV = "9752b50e922572e4cd214ac45ed95e4ee410fe24" diff --git a/meta-oe/recipes-support/utouch/utouch-frame_git.bb b/meta-oe/recipes-support/utouch/utouch-frame_git.bb index 1ebebfa9f5..5993956353 100644 --- a/meta-oe/recipes-support/utouch/utouch-frame_git.bb +++ b/meta-oe/recipes-support/utouch/utouch-frame_git.bb @@ -9,7 +9,7 @@ DEPENDS += "mtdev utouch-evemu" inherit autotools pkgconfig -SRC_URI = "git://bitmath.org/git/frame.git;protocol=http \ +SRC_URI = "git://bitmath.org/git/frame.git;protocol=http;branch=master \ file://remove-man-page-creation.patch \ file://0001-include-sys-stat.h-for-fixing-build-issue-on-musl.patch \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ diff --git a/meta-oe/recipes-support/utouch/utouch-mtview_git.bb b/meta-oe/recipes-support/utouch/utouch-mtview_git.bb index 5f07bf28ee..65edaf1e5b 100644 --- a/meta-oe/recipes-support/utouch/utouch-mtview_git.bb +++ b/meta-oe/recipes-support/utouch/utouch-mtview_git.bb @@ -9,7 +9,7 @@ inherit autotools pkgconfig features_check # depends on virtual/libx11 REQUIRED_DISTRO_FEATURES = "x11" -SRC_URI = "git://bitmath.org/git/mtview.git;protocol=http" +SRC_URI = "git://bitmath.org/git/mtview.git;protocol=http;branch=master" SRCREV = "ad437c38dc111cf3990a03abf14efe1b5d89604b" DEPENDS += "mtdev utouch-frame utouch-evemu libx11" diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch new file mode 100644 index 0000000000..e95e240492 --- /dev/null +++ b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch @@ -0,0 +1,276 @@ +Subject: Fix build errors with linux 5.13 +Origin: upstream, https://www.virtualbox.org/browser/vbox/trunk +Bug: https://bugs.launchpad.net/bugs/1929193 + +diff -urpN virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_drv.h virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_drv.h +--- virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_drv.h 2021-04-28 16:24:47.000000000 +0000 ++++ virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_drv.h 2021-06-23 10:08:44.431714404 +0000 +@@ -46,20 +41,20 @@ + * Evaluates to true if the linux kernel version is equal or higher to the + * one specfied. */ + #define RTLNX_VER_MIN(a_Major, a_Minor, a_Patch) \ +- (LINUX_VERSION_CODE >= KERNEL_VERSION(a_Major, a_Minor, a_Patch)) ++ (LINUX_VERSION_CODE >= KERNEL_VERSION(a_Major, a_Minor, a_Patch)) + + /** @def RTLNX_VER_MAX + * Evaluates to true if the linux kernel version is less to the one specfied + * (exclusive). */ + #define RTLNX_VER_MAX(a_Major, a_Minor, a_Patch) \ +- (LINUX_VERSION_CODE < KERNEL_VERSION(a_Major, a_Minor, a_Patch)) ++ (LINUX_VERSION_CODE < KERNEL_VERSION(a_Major, a_Minor, a_Patch)) + + /** @def RTLNX_VER_RANGE + * Evaluates to true if the linux kernel version is equal or higher to the given + * minimum version and less (but not equal) to the maximum version (exclusive). */ + #define RTLNX_VER_RANGE(a_MajorMin, a_MinorMin, a_PatchMin, a_MajorMax, a_MinorMax, a_PatchMax) \ +- ( LINUX_VERSION_CODE >= KERNEL_VERSION(a_MajorMin, a_MinorMin, a_PatchMin) \ +- && LINUX_VERSION_CODE < KERNEL_VERSION(a_MajorMax, a_MinorMax, a_PatchMax) ) ++ ( LINUX_VERSION_CODE >= KERNEL_VERSION(a_MajorMin, a_MinorMin, a_PatchMin) \ ++ && LINUX_VERSION_CODE < KERNEL_VERSION(a_MajorMax, a_MinorMax, a_PatchMax) ) + + + /** @def RTLNX_RHEL_MIN +@@ -70,7 +65,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_MIN(a_iMajor, a_iMinor) \ +- ((RHEL_MAJOR) > (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) >= (a_iMinor))) ++ ((RHEL_MAJOR) > (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) >= (a_iMinor))) + #else + # define RTLNX_RHEL_MIN(a_iMajor, a_iMinor) (0) + #endif +@@ -83,7 +78,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_MAX(a_iMajor, a_iMinor) \ +- ((RHEL_MAJOR) < (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) < (a_iMinor))) ++ ((RHEL_MAJOR) < (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) < (a_iMinor))) + #else + # define RTLNX_RHEL_MAX(a_iMajor, a_iMinor) (0) + #endif +@@ -95,7 +90,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_RANGE(a_iMajorMin, a_iMinorMin, a_iMajorMax, a_iMinorMax) \ +- (RTLNX_RHEL_MIN(a_iMajorMin, a_iMinorMin) && RTLNX_RHEL_MAX(a_iMajorMax, a_iMinorMax)) ++ (RTLNX_RHEL_MIN(a_iMajorMin, a_iMinorMin) && RTLNX_RHEL_MAX(a_iMajorMax, a_iMinorMax)) + #else + # define RTLNX_RHEL_RANGE(a_iMajorMin, a_iMinorMin, a_iMajorMax, a_iMinorMax) (0) + #endif +@@ -173,7 +168,9 @@ + #include <drm/ttm/ttm_bo_api.h> + #include <drm/ttm/ttm_bo_driver.h> + #include <drm/ttm/ttm_placement.h> ++#if RTLNX_VER_MAX(5,13,0) + #include <drm/ttm/ttm_memory.h> ++#endif + #if RTLNX_VER_MAX(5,12,0) + # include <drm/ttm/ttm_module.h> + #endif +@@ -222,7 +219,7 @@ static inline void drm_gem_object_put(st + VBVA_ADAPTER_INFORMATION_SIZE) + #define GUEST_HEAP_SIZE VBVA_ADAPTER_INFORMATION_SIZE + #define GUEST_HEAP_USABLE_SIZE (VBVA_ADAPTER_INFORMATION_SIZE - \ +- sizeof(HGSMIHOSTFLAGS)) ++ sizeof(struct hgsmi_host_flags)) + #define HOST_FLAGS_OFFSET GUEST_HEAP_USABLE_SIZE + + /** How frequently we refresh if the guest is not providing dirty rectangles. */ +@@ -232,7 +229,7 @@ static inline void drm_gem_object_put(st + static inline void *devm_kcalloc(struct device *dev, size_t n, size_t size, + gfp_t flags) + { +- return devm_kzalloc(dev, n * size, flags); ++ return devm_kzalloc(dev, n * size, flags); + } + #endif + +@@ -244,7 +241,7 @@ struct vbox_private { + u8 __iomem *guest_heap; + u8 __iomem *vbva_buffers; + struct gen_pool *guest_pool; +- struct VBVABUFFERCONTEXT *vbva_info; ++ struct vbva_buf_context *vbva_info; + bool any_pitch; + u32 num_crtcs; + /** Amount of available VRAM, including space used for buffers. */ +@@ -252,7 +249,7 @@ struct vbox_private { + /** Amount of available VRAM, not including space used for buffers. */ + u32 available_vram_size; + /** Array of structures for receiving mode hints. */ +- VBVAMODEHINT *last_mode_hints; ++ struct vbva_modehint *last_mode_hints; + + struct vbox_fbdev *fbdev; + +@@ -263,7 +260,11 @@ struct vbox_private { + struct drm_global_reference mem_global_ref; + struct ttm_bo_global_ref bo_global_ref; + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ struct ttm_device bdev; ++#else + struct ttm_bo_device bdev; ++#endif + bool mm_initialised; + } ttm; + +diff -urpN virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_ttm.c virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_ttm.c +--- virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_ttm.c 2021-04-28 16:24:47.000000000 +0000 ++++ virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_ttm.c 2021-06-23 10:08:07.164057918 +0000 +@@ -48,7 +43,11 @@ + #endif + + ++#if RTLNX_VER_MIN(5,13,0) ++static inline struct vbox_private *vbox_bdev(struct ttm_device *bd) ++#else + static inline struct vbox_private *vbox_bdev(struct ttm_bo_device *bd) ++#endif + { + return container_of(bd, struct vbox_private, ttm.bdev); + } +@@ -188,7 +187,7 @@ static int vbox_ttm_io_mem_reserve(struc + mem->bus.size = mem->num_pages << PAGE_SHIFT; + mem->bus.base = 0; + mem->bus.is_iomem = false; +- if (!(man->flags & TTM_MEMTYPE_FLAG_MAPPABLE)) ++ if (!(man->flags & TTM_MEMTYPE_FLAG_MAPPABLE)) + return -EINVAL; + switch (mem->mem_type) { + case TTM_PL_SYSTEM: +@@ -205,8 +204,13 @@ static int vbox_ttm_io_mem_reserve(struc + return 0; + } + #else ++# if RTLNX_VER_MAX(5,13,0) + static int vbox_ttm_io_mem_reserve(struct ttm_bo_device *bdev, + struct ttm_resource *mem) ++# else /* > 5.13.0 */ ++static int vbox_ttm_io_mem_reserve(struct ttm_device *bdev, ++ struct ttm_resource *mem) ++# endif /* > 5.13.0 */ + { + struct vbox_private *vbox = vbox_bdev(bdev); + mem->bus.addr = NULL; +@@ -241,7 +245,12 @@ static int vbox_ttm_io_mem_reserve(struc + + + +-#if RTLNX_VER_MIN(5,10,0) ++#if RTLNX_VER_MIN(5,13,0) ++static void vbox_ttm_io_mem_free(struct ttm_device *bdev, ++ struct ttm_resource *mem) ++{ ++} ++#elif RTLNX_VER_MIN(5,10,0) + static void vbox_ttm_io_mem_free(struct ttm_bo_device *bdev, + struct ttm_resource *mem) + { +@@ -253,7 +262,13 @@ static void vbox_ttm_io_mem_free(struct + } + #endif + +-#if RTLNX_VER_MIN(5,10,0) ++#if RTLNX_VER_MIN(5,13,0) ++static void vbox_ttm_tt_destroy(struct ttm_device *bdev, struct ttm_tt *tt) ++{ ++ ttm_tt_fini(tt); ++ kfree(tt); ++} ++#elif RTLNX_VER_MIN(5,10,0) + static void vbox_ttm_tt_destroy(struct ttm_bo_device *bdev, struct ttm_tt *tt) + { + ttm_tt_fini(tt); +@@ -333,7 +348,11 @@ static int vbox_bo_move(struct ttm_buffe + } + #endif + ++#if RTLNX_VER_MIN(5,13,0) ++static struct ttm_device_funcs vbox_bo_driver = { ++#else /* < 5.13.0 */ + static struct ttm_bo_driver vbox_bo_driver = { ++#endif /* < 5.13.0 */ + .ttm_tt_create = vbox_ttm_tt_create, + #if RTLNX_VER_MIN(5,10,0) + .ttm_tt_destroy = vbox_ttm_tt_destroy, +@@ -370,14 +389,22 @@ int vbox_mm_init(struct vbox_private *vb + { + int ret; + struct drm_device *dev = vbox->dev; ++#if RTLNX_VER_MIN(5,13,0) ++ struct ttm_device *bdev = &vbox->ttm.bdev; ++#else + struct ttm_bo_device *bdev = &vbox->ttm.bdev; ++#endif + + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + ret = vbox_ttm_global_init(vbox); + if (ret) + return ret; + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ ret = ttm_device_init(&vbox->ttm.bdev, ++#else + ret = ttm_bo_device_init(&vbox->ttm.bdev, ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + vbox->ttm.bo_global_ref.ref.object, + #endif +@@ -429,7 +456,11 @@ int vbox_mm_init(struct vbox_private *vb + return 0; + + err_device_release: ++#if RTLNX_VER_MIN(5,13,0) ++ ttm_device_fini(&vbox->ttm.bdev); ++#else + ttm_bo_device_release(&vbox->ttm.bdev); ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + err_ttm_global_release: + vbox_ttm_global_release(vbox); +@@ -446,7 +477,11 @@ void vbox_mm_fini(struct vbox_private *v + #else + arch_phys_wc_del(vbox->fb_mtrr); + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ ttm_device_fini(&vbox->ttm.bdev); ++#else + ttm_bo_device_release(&vbox->ttm.bdev); ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + vbox_ttm_global_release(vbox); + #endif +@@ -528,7 +563,9 @@ int vbox_bo_create(struct drm_device *de + { + struct vbox_private *vbox = dev->dev_private; + struct vbox_bo *vboxbo; ++#if RTLNX_VER_MAX(5,13,0) + size_t acc_size; ++#endif + int ret; + + vboxbo = kzalloc(sizeof(*vboxbo), GFP_KERNEL); +@@ -551,16 +588,20 @@ int vbox_bo_create(struct drm_device *de + + vbox_ttm_placement(vboxbo, VBOX_MEM_TYPE_VRAM | VBOX_MEM_TYPE_SYSTEM); + ++#if RTLNX_VER_MAX(5,13,0) + acc_size = ttm_bo_dma_acc_size(&vbox->ttm.bdev, size, + sizeof(struct vbox_bo)); ++#endif + + ret = ttm_bo_init(&vbox->ttm.bdev, &vboxbo->bo, size, + ttm_bo_type_device, &vboxbo->placement, + #if RTLNX_VER_MAX(4,17,0) && !RTLNX_RHEL_MAJ_PREREQ(7,6) && !RTLNX_SUSE_MAJ_PREREQ(15,1) && !RTLNX_SUSE_MAJ_PREREQ(12,5) + align >> PAGE_SHIFT, false, NULL, acc_size, +-#else ++#elif RTLNX_VER_MAX(5,13,0) /* < 5.13.0 */ + align >> PAGE_SHIFT, false, acc_size, +-#endif ++#else /* > 5.13.0 */ ++ align >> PAGE_SHIFT, false, ++#endif /* > 5.13.0 */ + #if RTLNX_VER_MIN(3,18,0) || RTLNX_RHEL_MAJ_PREREQ(7,2) + NULL, NULL, vbox_bo_ttm_destroy); + #else diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch new file mode 100644 index 0000000000..8dd30a20ef --- /dev/null +++ b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch @@ -0,0 +1,36 @@ +add __divmoddi4 builtin + +GCC 11 will generate it in code + +void foo(unsigned char *u8Second, unsigned int *u32Nanosecond, long long timeSpec) +{ + long long i64Div; + int i32Div; + int i32Rem; + i64Div = timeSpec; + i32Rem = (int)(i64Div % 1000000000); + i64Div /= 1000000000; + *u32Nanosecond = i32Rem; + i32Rem = (int)(i64Div % 60); + *u8Second = i32Rem; +} + + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/src/VBox/Runtime/common/math/gcc/divdi3.c ++++ b/src/VBox/Runtime/common/math/gcc/divdi3.c +@@ -68,3 +68,12 @@ __divdi3(a, b) + uq = - uq; + return uq; + } ++ ++quad_t ++__divmoddi4(quad_t a, quad_t b, quad_t* rem) ++{ ++ quad_t d = __divdi3(a,b); ++ *rem = a - (d*b); ++ return d; ++} ++ diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.6.bb b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.22.bb index 89b1ee11e2..19b8f8f46e 100644 --- a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.6.bb +++ b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.22.bb @@ -13,11 +13,14 @@ VBOX_NAME = "VirtualBox-${PV}" SRC_URI = "http://download.virtualbox.org/virtualbox/${PV}/${VBOX_NAME}.tar.bz2 \ file://Makefile.utils \ + file://40-linux-5.13-support.patch \ + file://add__divmoddi4.patch \ " -SRC_URI[md5sum] = "fe6328d22dfb20ea372daa4b58b12374" -SRC_URI[sha256sum] = "b031c30d770f28c5f884071ad933e8c1f83e65b93aaba03a4012077c1d90a54f" +SRC_URI[md5sum] = "abb1a20021e5915fe38c666e8c11cf80" +SRC_URI[sha256sum] = "99816d2a15205d49362a31e8ffeb8262d2fa0678c751dfd0a7c43b2faca8be49" -S = "${WORKDIR}/vbox_module" +S ?= "${WORKDIR}/vbox_module" +S_task-patch = "${WORKDIR}/${VBOX_NAME}" export BUILD_TARGET_ARCH="${ARCH}" export BUILD_TARGET_ARCH_x86-64="amd64" diff --git a/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb b/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb index 79a5ac5c4e..673fc5899b 100644 --- a/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb +++ b/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=4d168d763c111f4ffc62249870e4e0ea" DEPENDS = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'openssl boost zlib', '', d)} " -SRC_URI = "git://github.com/zaphoyd/websocketpp.git;protocol=https \ +SRC_URI = "git://github.com/zaphoyd/websocketpp.git;protocol=https;branch=master \ file://0001-cmake-Use-GNUInstallDirs.patch \ file://855.patch \ file://857.patch \ diff --git a/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb b/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb index d100030f9b..c161781989 100644 --- a/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb +++ b/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb @@ -7,7 +7,7 @@ SECTION = "console/utils" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI = "git://github.com/jmacd/xdelta.git;branch=release3_1_apl" +SRC_URI = "git://github.com/jmacd/xdelta.git;branch=release3_1_apl;protocol=https" SRCREV = "4b4aed71a959fe11852e45242bb6524be85d3709" S = "${WORKDIR}/git/xdelta3" diff --git a/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch b/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch new file mode 100644 index 0000000000..a5a298af0d --- /dev/null +++ b/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch @@ -0,0 +1,22 @@ +xmlsec1: Fix configure QA error caused by host lookup path + +ERROR: mc:my-sdk:xmlsec1-1.2.30-r0 do_configure: QA Issue: This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities. + +It will eventually arise after the configure QA as the configure script should only look at the staging sysroot dir, not at the host. + +Upstream-Status: Inappropriate [embedded specific] +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +--- a/configure.ac.orig 2021-01-13 14:37:42.254991177 +0000 ++++ b/configure.ac 2021-01-13 14:40:56.546269330 +0000 +@@ -250,8 +250,8 @@ + dnl ========================================================================== + dnl Common installation locations + dnl ========================================================================== +-COMMON_INCLUDE_DIR="/usr/include /usr/local/include" +-COMMON_LIB_DIR="/usr/lib /usr/lib64 /usr/local/lib" ++COMMON_INCLUDE_DIR="${STAGING_INCDIR}" ++COMMON_LIB_DIR="${STAGING_LIBDIR}" + case $host in + i*86-*-linux-gnu) COMMON_LIB_DIR="$COMMON_LIB_DIR /usr/lib/i386-linux-gnu" ;; + x86_64-*-linux-gnu) COMMON_LIB_DIR="$COMMON_LIB_DIR /usr/lib/x86_64-linux-gnu" ;; diff --git a/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb b/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb index 20c7b2d371..391614b5f2 100644 --- a/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb +++ b/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb @@ -19,6 +19,7 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://xmlsec1-examples-allow-build-in-separate-dir.patch \ file://0001-nss-nspr-fix-for-multilib.patch \ file://run-ptest \ + file://ensure-search-path-non-host.patch \ " SRC_URI[md5sum] = "b66ec21e0a0ac331afb4b1bc5c9ef966" diff --git a/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb b/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb index 481e7303b3..1ba4a32ba6 100644 --- a/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb +++ b/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb @@ -10,7 +10,7 @@ DEPENDS = "virtual/libx11 xserver-xorg xrdp nasm-native" inherit features_check REQUIRED_DISTRO_FEATURES = "x11 pam" -SRC_URI = "git://github.com/neutrinolabs/xorgxrdp.git" +SRC_URI = "git://github.com/neutrinolabs/xorgxrdp.git;branch=master;protocol=https" SRCREV = "c122544f184d4031bbae1ad80fbab554c34a9427" diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb index deda0fd1b5..36184705bc 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb @@ -10,7 +10,7 @@ DEPENDS = "openssl virtual/libx11 libxfixes libxrandr libpam nasm-native" REQUIRED_DISTRO_FEATURES = "x11 pam" -SRC_URI = "git://github.com/neutrinolabs/xrdp.git \ +SRC_URI = "git://github.com/neutrinolabs/xrdp.git;branch=master;protocol=https \ file://xrdp.sysconfig \ file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \ file://0001-Fix-the-compile-error.patch \ diff --git a/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb b/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb index 865adc5a1b..783af89bed 100644 --- a/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb +++ b/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb @@ -5,7 +5,7 @@ HOMEPAGE = "http://www.xxhash.com/" LICENSE = "BSD-2-Clause & GPL-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=01a7eba4212ef1e882777a38585e7a9b" -SRC_URI = "git://github.com/Cyan4973/xxHash.git" +SRC_URI = "git://github.com/Cyan4973/xxHash.git;branch=master;protocol=https" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" SRCREV = "d408e9b0606d07b1ddc5452ffc0ec8512211b174" diff --git a/meta-oe/recipes-support/zbar/zbar_git.bb b/meta-oe/recipes-support/zbar/zbar_git.bb index 935e09cd53..46ca549c5c 100644 --- a/meta-oe/recipes-support/zbar/zbar_git.bb +++ b/meta-oe/recipes-support/zbar/zbar_git.bb @@ -10,7 +10,7 @@ PV = "0.10+git${SRCPV}" # iPhoneSDK-1.3.1 tag SRCREV = "67003d2a985b5f9627bee2d8e3e0b26d0c474b57" -SRC_URI = "git://github.com/ZBar/Zbar \ +SRC_URI = "git://github.com/ZBar/Zbar;branch=master;protocol=https \ file://0001-make-relies-GNU-extentions.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb b/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb index e041132b1c..e4c0232bd9 100644 --- a/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb +++ b/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb @@ -4,7 +4,7 @@ AUTHOR = "Jonathan Dieter" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=cd6e590282010ce90a94ef25dd31410f" -SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https" +SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https;branch=master" SRCREV = "f5593aa11584faa691c81b4898f0aaded47f8bf7" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-test/bats/bats_1.1.0.bb b/meta-oe/recipes-test/bats/bats_1.1.0.bb index a8179744ae..7ee0205766 100644 --- a/meta-oe/recipes-test/bats/bats_1.1.0.bb +++ b/meta-oe/recipes-test/bats/bats_1.1.0.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://github.com/bats-core/bats-core" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2970203aedf9e829edb96a137a4fe81b" -SRC_URI = "git://github.com/bats-core/bats-core.git \ +SRC_URI = "git://github.com/bats-core/bats-core.git;branch=master;protocol=https \ " # v1.1.0 SRCREV = "c706d1470dd1376687776bbe985ac22d09780327" diff --git a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb index 57fc935f77..50188937d5 100644 --- a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb +++ b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/catchorg/Catch2" LICENSE = "BSL-1.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c" -SRC_URI = "git://github.com/catchorg/Catch2.git" +SRC_URI = "git://github.com/catchorg/Catch2.git;branch=v2.x;protocol=https" SRCREV = "2c869e17e4803d30b3d5ca5b0d76387b9db97fa5" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-test/evtest/evtest_1.34.bb b/meta-oe/recipes-test/evtest/evtest_1.34.bb index a3a23c8951..eb6a34f301 100644 --- a/meta-oe/recipes-test/evtest/evtest_1.34.bb +++ b/meta-oe/recipes-test/evtest/evtest_1.34.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "libxml2" SRCREV = "16e5104127a620686bdddc4a9ad62881134d6c69" -SRC_URI = "git://gitlab.freedesktop.org/libevdev/evtest.git;protocol=https \ +SRC_URI = "git://gitlab.freedesktop.org/libevdev/evtest.git;protocol=https;branch=master \ file://add_missing_limits_h_include.patch \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ " diff --git a/meta-oe/recipes-test/fbtest/fb-test_git.bb b/meta-oe/recipes-test/fbtest/fb-test_git.bb index 6a9d4b2787..2992135726 100644 --- a/meta-oe/recipes-test/fbtest/fb-test_git.bb +++ b/meta-oe/recipes-test/fbtest/fb-test_git.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" SRCREV = "063ec650960c2d79ac51f5c5f026cb05343a33e2" -SRC_URI = "git://github.com/prpplague/fb-test-app.git" +SRC_URI = "git://github.com/prpplague/fb-test-app.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-test/googletest/googletest_git.bb b/meta-oe/recipes-test/googletest/googletest_git.bb index 354e7de337..35fe1bed00 100644 --- a/meta-oe/recipes-test/googletest/googletest_git.bb +++ b/meta-oe/recipes-test/googletest/googletest_git.bb @@ -11,7 +11,7 @@ PROVIDES += "gmock gtest" S = "${WORKDIR}/git" SRCREV = "703bd9caab50b139428cea1aaff9974ebee5742e" -SRC_URI = "git://github.com/google/googletest.git" +SRC_URI = "git://github.com/google/googletest.git;branch=main;protocol=https" inherit cmake diff --git a/meta-oe/recipes-test/pm-qa/pm-qa_git.bb b/meta-oe/recipes-test/pm-qa/pm-qa_git.bb index 7e9971ea4c..bb641437c9 100644 --- a/meta-oe/recipes-test/pm-qa/pm-qa_git.bb +++ b/meta-oe/recipes-test/pm-qa/pm-qa_git.bb @@ -42,6 +42,7 @@ do_install () { do # Remove hardcoded relative paths sed -i -e 's#..\/utils\/##' ${script} + sed -i -e 's#. ..\/Switches#${bindir}#g' ${script} script_basename=`basename ${script}` install -m 0755 $script ${D}${libdir}/${BPN}/${script_basename} @@ -54,7 +55,7 @@ do_install () { # if the script includes any helper scripts from the $libdir # directory then change the source path to the absolute path # to reflect the install location of the helper scripts. - sed -i -e "s#source ../include#source ${libdir}/${BPN}#g" ${script} + sed -i -e "s#. ../include#. ${libdir}/${BPN}#g" ${script} # Remove hardcoded relative paths sed -i -e 's#..\/utils\/##' ${script} diff --git a/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb b/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb index afd26fa1c4..40bb586449 100644 --- a/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb +++ b/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb @@ -38,4 +38,4 @@ S = "${WORKDIR}/Config-AutoConf-${PV}" inherit cpan ptest-perl -BBCLASSEXTEND = "native nativesdk" +BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb b/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb index fc9786beca..9322db4085 100644 --- a/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb +++ b/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb @@ -43,5 +43,3 @@ do_install_ptest () { cp -r ${B}/t ${D}${PTEST_PATH} cp -r ${B}/certs ${D}${PTEST_PATH} } - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb b/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb index 8994f692b4..6d300ea9f5 100644 --- a/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb +++ b/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb @@ -62,5 +62,3 @@ python __anonymous () { raise bb.parse.SkipRecipe("incompatible with %s C library" % d.getVar('TCLIBC')) } - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb b/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb index 26c7c389d8..77c91c86cc 100644 --- a/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb +++ b/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb @@ -41,5 +41,3 @@ RDEPENDS_${PN}-ptest += " \ perl-module-perlio \ perl-module-test-more \ " - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb b/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb index a1bb4a399e..c281dfa5fe 100644 --- a/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb +++ b/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb @@ -34,5 +34,3 @@ SRC_URI[sha256sum] = "16a29f7acaeec081bf0e7303ba5ee24fda1d21a1104669b837745f3ea6 S = "${WORKDIR}/Unix-Statgrab-${PV}" inherit cpan pkgconfig ptest-perl - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/po4a/po4a_0.49.bb b/meta-perl/recipes-perl/po4a/po4a_0.49.bb index 5db5b8f8bc..d6c1d14f21 100644 --- a/meta-perl/recipes-perl/po4a/po4a_0.49.bb +++ b/meta-perl/recipes-perl/po4a/po4a_0.49.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://po4a.alioth.debian.org" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=a96fc9b4cc36d80659e694ea109f0325" -SRC_URI = "git://alioth.debian.org/anonscm/git/po4a/po4a.git;protocol=https" +SRC_URI = "git://alioth.debian.org/anonscm/git/po4a/po4a.git;protocol=https;branch=master" # v0.49 SRCREV = "79ed87a577a543538fe39c7b60079981f5997072" diff --git a/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb b/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb index e235682cf4..7910fcd18a 100644 --- a/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb +++ b/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=76699830db7fa9e897f6a1ad05f98ec8" DEPENDS = "python3-twisted python3-six python3-vcversioner python3-six-native python3-vcversioner-native" -SRC_URI = "git://github.com/MostAwesomeDude/txWS.git" +SRC_URI = "git://github.com/MostAwesomeDude/txWS.git;branch=master;protocol=https" SRCREV= "88cf6d9b9b685ffa1720644bd53c742afb10a414" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-core/images/meta-python-image.bb b/meta-python/recipes-core/images/meta-python-image.bb index cc75fe6e4b..6353d389b5 100644 --- a/meta-python/recipes-core/images/meta-python-image.bb +++ b/meta-python/recipes-core/images/meta-python-image.bb @@ -2,5 +2,4 @@ require meta-python-image-base.bb SUMMARY = "meta-python build test image" -IMAGE_INSTALL += "packagegroup-meta-python \ - packagegroup-meta-python3" +IMAGE_INSTALL += "packagegroup-meta-python3" diff --git a/meta-python/recipes-core/images/meta-python-ptest-image.bb b/meta-python/recipes-core/images/meta-python-ptest-image.bb index 7ee15354a2..d497016d41 100644 --- a/meta-python/recipes-core/images/meta-python-ptest-image.bb +++ b/meta-python/recipes-core/images/meta-python-ptest-image.bb @@ -2,4 +2,4 @@ require meta-python-image-base.bb SUMMARY = "meta-python ptest test image" -IMAGE_INSTALL += "packagegroup-meta-python-ptest" +IMAGE_INSTALL += "packagegroup-meta-python3-ptest" diff --git a/meta-python/recipes-devtools/gyp/gyp.inc b/meta-python/recipes-devtools/gyp/gyp.inc index 98ed42cc90..1415b41623 100644 --- a/meta-python/recipes-devtools/gyp/gyp.inc +++ b/meta-python/recipes-devtools/gyp/gyp.inc @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=ab828cb8ce4c62ee82945a11247b6bbd" SECTION = "devel" -SRC_URI = "git://chromium.googlesource.com/external/gyp;protocol=https" +SRC_URI = "git://chromium.googlesource.com/external/gyp;protocol=https;branch=master" SRCREV = "fcd686f1880fa52a1ee78d3e98af1b88cb334528" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python-feedformatter.inc b/meta-python/recipes-devtools/python/python-feedformatter.inc index 6ddcaa98ec..d1669977a9 100644 --- a/meta-python/recipes-devtools/python/python-feedformatter.inc +++ b/meta-python/recipes-devtools/python/python-feedformatter.inc @@ -5,7 +5,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=258e3f39e2383fbd011035d04311008d" SRCREV = "7391193c83e10420b5a2d8ef846d23fc368c6d85" -SRC_URI = "git://github.com/marianoguerra/feedformatter.git" +SRC_URI = "git://github.com/marianoguerra/feedformatter.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc index 05b5eae462..0276a3e81a 100644 --- a/meta-python/recipes-devtools/python/python-lxml.inc +++ b/meta-python/recipes-devtools/python/python-lxml.inc @@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \ DEPENDS += "libxml2 libxslt" +SRC_URI += "file://CVE-2022-2309.patch" + SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11" SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60" diff --git a/meta-python/recipes-devtools/python/python-pint.inc b/meta-python/recipes-devtools/python/python-pint.inc index d022c41a57..5d880a0397 100644 --- a/meta-python/recipes-devtools/python/python-pint.inc +++ b/meta-python/recipes-devtools/python/python-pint.inc @@ -14,8 +14,6 @@ SRC_URI[sha256sum] = "308f1070500e102f83b6adfca6db53debfce2ffc5d3cbe3f6c367da359 DEPENDS += "python3-setuptools-scm-native" -BBCLASSEXTEND = "native nativesdk" - SRC_URI += " \ file://run-ptest \ " diff --git a/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb b/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb index c65a6d7da4..9811c3b9c9 100644 --- a/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb +++ b/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI = "git://github.com/abseil/abseil-py.git" +SRC_URI = "git://github.com/abseil/abseil-py.git;branch=master;protocol=https" SRCREV ?= "e3ce504183c57fc4eca52fe84732c11cda99d131" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb b/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb index 125a0236ec..5b3c73c923 100644 --- a/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb +++ b/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=561205fdabc3ec52cae2d30815b8ade7" -SRC_URI = "git://github.com/berkerpeksag/astor.git " +SRC_URI = "git://github.com/berkerpeksag/astor.git;branch=master;protocol=https" SRCREV ?= "c7553c79f9222e20783fe9bd8a553f932e918072" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb b/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb index 803ca4a404..24e38cfb4e 100644 --- a/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb +++ b/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb @@ -16,5 +16,3 @@ RDEPENDS_${PN} += "\ ${PYTHON_PN}-pyperclip \ ${PYTHON_PN}-wcwidth \ " - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch new file mode 100644 index 0000000000..c5d7ca3860 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch @@ -0,0 +1,99 @@ +From 7dee5927eb528f7ddebd62fbab31232d505acc22 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <paul.l.kehrer@gmail.com> +Date: Sun, 23 Aug 2020 23:41:33 -0500 +Subject: [PATCH] chunked update_into (#5419) + +* chunked update_into + +* all pointer arithmetic all the time + +* review feedback + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/f90ba1808ee9bd9a13c5673b776484644f29d7ba] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + .../hazmat/backends/openssl/ciphers.py | 31 +++++++++++++------ + tests/hazmat/primitives/test_ciphers.py | 17 ++++++++++ + 2 files changed, 38 insertions(+), 10 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 94b48f52..86bc94b3 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,6 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 ++ _MAX_CHUNK_SIZE = 2 ** 31 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend +@@ -125,22 +126,32 @@ class _CipherContext(object): + return bytes(buf[:n]) + + def update_into(self, data, buf): +- if len(buf) < (len(data) + self._block_size_bytes - 1): ++ total_data_len = len(data) ++ if len(buf) < (total_data_len + self._block_size_bytes - 1): + raise ValueError( + "buffer must be at least {} bytes for this " + "payload".format(len(data) + self._block_size_bytes - 1) + ) + +- buf = self._backend._ffi.cast( +- "unsigned char *", self._backend._ffi.from_buffer(buf) +- ) ++ data_processed = 0 ++ total_out = 0 + outlen = self._backend._ffi.new("int *") +- res = self._backend._lib.EVP_CipherUpdate( +- self._ctx, buf, outlen, +- self._backend._ffi.from_buffer(data), len(data) +- ) +- self._backend.openssl_assert(res != 0) +- return outlen[0] ++ baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseinbuf = self._backend._ffi.from_buffer(data) ++ ++ while data_processed != total_data_len: ++ outbuf = baseoutbuf + total_out ++ inbuf = baseinbuf + data_processed ++ inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed) ++ ++ res = self._backend._lib.EVP_CipherUpdate( ++ self._ctx, outbuf, outlen, inbuf, inlen ++ ) ++ self._backend.openssl_assert(res != 0) ++ data_processed += inlen ++ total_out += outlen[0] ++ ++ return total_out + + def finalize(self): + # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions) +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index f29ba9a9..b88610e7 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -309,3 +309,20 @@ class TestCipherUpdateInto(object): + buf = bytearray(5) + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) ++ ++ def test_update_into_auto_chunking(self, backend, monkeypatch): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ # Lower max chunk size so we can test chunking ++ monkeypatch.setattr(encryptor._ctx, "_MAX_CHUNK_SIZE", 40) ++ buf = bytearray(527) ++ pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes ++ processed = encryptor.update_into(pt, buf) ++ assert processed == 512 ++ decryptor = c.decryptor() ++ # Change max chunk size to verify alternate boundaries don't matter ++ monkeypatch.setattr(decryptor._ctx, "_MAX_CHUNK_SIZE", 73) ++ decbuf = bytearray(527) ++ decprocessed = decryptor.update_into(buf[:processed], decbuf) ++ assert decbuf[:decprocessed] == pt diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch new file mode 100644 index 0000000000..f28f414197 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch @@ -0,0 +1,43 @@ +From 7c72190620c3ccaeeab53fdd93547ca4d37b2f6b Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <paul.l.kehrer@gmail.com> +Date: Sun, 25 Oct 2020 06:15:18 -0700 +Subject: [PATCH] chunking didn't actually work (#5499) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/836a92a28fbe9df8c37121e340b91ed9cd519ddd] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 86bc94b3..2b7da80c 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 ++ _MAX_CHUNK_SIZE = 2 ** 31 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index b88610e7..fd9048b7 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -326,3 +326,12 @@ class TestCipherUpdateInto(object): + decbuf = bytearray(527) + decprocessed = decryptor.update_into(buf[:processed], decbuf) + assert decbuf[:decprocessed] == pt ++ ++ def test_max_chunk_size_fits_in_int32(self, backend): ++ # max chunk must fit in signed int32 or else a call large enough to ++ # cause chunking will result in the very OverflowError we want to ++ # avoid with chunking. ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ backend._ffi.new("int *", encryptor._ctx._MAX_CHUNK_SIZE) diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch new file mode 100644 index 0000000000..449dd692e6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch @@ -0,0 +1,37 @@ +From 6d0a76521abe287f5ddb5cd1cfbc799d35f08cf9 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Sun, 7 Feb 2021 11:36:56 -0500 +Subject: [PATCH] correct buffer overflows cause by integer overflow in openssl + (#5747) + +* correct buffer overflows cause by integer overflow in openssl + +frustratingly, there is no test for this -- that's because testing this +requires allocating more memory than is available in CI. + +fixes #5615. + +* backport CI fixes + +* another CI backport + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 2b7da80c..7ef5f1ea 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 - 1 ++ _MAX_CHUNK_SIZE = 2 ** 30 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend diff --git a/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch new file mode 100644 index 0000000000..6ef50a0084 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch @@ -0,0 +1,45 @@ +From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Tue, 7 Feb 2023 11:34:18 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696] +CVE: CVE-2023-23931 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch new file mode 100644 index 0000000000..c0acb9066b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch @@ -0,0 +1,66 @@ +From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Mon, 19 Feb 2024 11:50:28 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't +match (#10423) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55] +CVE: CVE-2024-26130 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 7e9fa20..ce3fc8c 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1046,6 +1046,15 @@ class Backend(object): + raise NotImplementedError( + 'Extension not supported: {}'.format(extension.oid) + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + ext_struct = encode(self, extension.value) + nid = self._lib.OBJ_txt2nid( +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index f084d57..c4160b0 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -17,6 +17,24 @@ from cryptography.hazmat.primitives.serialization.pkcs12 import ( + + from .utils import load_vectors_from_file + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + + @pytest.mark.requires_backend_interface(interface=DERSerializationBackend) + class TestPKCS12(object): +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb b/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb index c75dabb974..63bc0e0d6d 100644 --- a/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb +++ b/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb @@ -11,6 +11,11 @@ SRC_URI[sha256sum] = "3cda1f0ed8747339bbdf71b9f38ca74c7b592f24f65cdb3ab3765e4b02 SRC_URI += " \ file://run-ptest \ + file://0001-chunked-update_into-5419.patch \ + file://0002-chunking-didn-t-actually-work-5499.patch \ + file://0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch \ + file://CVE-2023-23931.patch \ + file://CVE-2024-26130.patch \ " inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb b/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb index ac4b8c2aa6..c33c0f110f 100644 --- a/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/ldo/dbussy" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" -SRC_URI = "git://github.com/ldo/dbussy.git" +SRC_URI = "git://github.com/ldo/dbussy.git;branch=master;protocol=https" SRCREV = "d0ec0223f3797e1612d835e71694a1083881149f" diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.24.bb b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb new file mode 100644 index 0000000000..964ca6ba03 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb @@ -0,0 +1,9 @@ +require python-django.inc +inherit setuptools3 + +SRC_URI[md5sum] = "ebf3bbb7716a7b11029e860475b9a122" +SRC_URI[sha256sum] = "3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7" + +RDEPENDS_${PN} += "\ + ${PYTHON_PN}-sqlparse \ +" diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.7.bb b/meta-python/recipes-devtools/python/python3-django_2.2.7.bb deleted file mode 100644 index e56453abc1..0000000000 --- a/meta-python/recipes-devtools/python/python3-django_2.2.7.bb +++ /dev/null @@ -1,9 +0,0 @@ -require python-django.inc -inherit setuptools3 - -SRC_URI[md5sum] = "b0833024aac4c8240467e4dc91a12e9b" -SRC_URI[sha256sum] = "16040e1288c6c9f68c6da2fe75ebde83c0a158f6f5d54f4c5177b0c1478c5b86" - -RDEPENDS_${PN} += "\ - ${PYTHON_PN}-sqlparse \ -" diff --git a/meta-python/recipes-devtools/python/python3-dt-schema_git.bb b/meta-python/recipes-devtools/python/python3-dt-schema_git.bb index 06a9012ca4..d14b7de62a 100644 --- a/meta-python/recipes-devtools/python/python3-dt-schema_git.bb +++ b/meta-python/recipes-devtools/python/python3-dt-schema_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://setup.py;beginline=2;endline=3;md5=c795d4924c5f739424 inherit setuptools3 -SRC_URI = "git://github.com/robherring/dt-schema.git" +SRC_URI = "git://github.com/robherring/dt-schema.git;branch=master;protocol=https" SRCREV = "5009e47c1c76e48871f5988e08dad61f3c91196b" PV = "0.1+git${SRCPV}" diff --git a/meta-python/recipes-devtools/python/python3-fasteners_0.15.bb b/meta-python/recipes-devtools/python/python3-fasteners_0.16.3.bb index 8786a14842..1ba2c6f200 100644 --- a/meta-python/recipes-devtools/python/python3-fasteners_0.15.bb +++ b/meta-python/recipes-devtools/python/python3-fasteners_0.16.3.bb @@ -3,7 +3,12 @@ HOMEPAGE = "https://github.com/harlowja/fasteners" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=4476c4be31402271e101d9a4a3430d52" -SRC_URI[md5sum] = "440f8ab461c8fed941355860d8669556" -SRC_URI[sha256sum] = "3a176da6b70df9bb88498e1a18a9e4a8579ed5b9141207762368a1017bf8f5ef" +SRC_URI[md5sum] = "243188fe770ad60e9da722bef9dc7a78" +SRC_URI[sha256sum] = "b1ab4e5adfbc28681ce44b3024421c4f567e705cc3963c732bf1cba3348307de" inherit pypi setuptools3 + +RDEPENDS:${PN} += "\ + ${PYTHON_PN}-logging \ + ${PYTHON_PN}-fcntl \ +" diff --git a/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb b/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb index 6e08a19949..caf80c7621 100644 --- a/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb +++ b/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=a3ad9b6802e713fc5e307e1230f1ea90" -SRC_URI = "git://github.com/serge-sans-paille/gast.git" +SRC_URI = "git://github.com/serge-sans-paille/gast.git;branch=master;protocol=https" SRCREV ?= "ed82e2a507505c6b18eb665d3738b6c0602da5e7" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb b/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb index 7822e463ee..711ced022e 100644 --- a/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb +++ b/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://setup.py;beginline=107;endline=107;md5=795ecad0d261c998cc526c84a822dff6" -SRC_URI = "git://github.com/h5py/h5py.git \ +SRC_URI = "git://github.com/h5py/h5py.git;branch=master;protocol=https \ file://0001-cross-compiling-support.patch \ " SRCREV ?= "8d96a14c3508de1bde77aec5db302e478dc5dbc4" diff --git a/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb b/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb index 8fe4b988db..4d8af17209 100644 --- a/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb +++ b/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb @@ -5,7 +5,7 @@ SECTION = "devel/python" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d8b7fdd0dff0fd18f35c05365d3d7bf7" -SRC_URI = "git://github.com/imageio/imageio.git;protocol=https" +SRC_URI = "git://github.com/imageio/imageio.git;protocol=https;branch=master" SRCREV = "0b161649b3ee108f80bd99466aeab2e65cf82cd8" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python3-jinja2/run-ptest b/meta-python/recipes-devtools/python/python3-jinja2/run-ptest deleted file mode 100644 index 5cec711696..0000000000 --- a/meta-python/recipes-devtools/python/python3-jinja2/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -pytest diff --git a/meta-python/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta-python/recipes-devtools/python/python3-jinja2_2.11.2.bb deleted file mode 100644 index 681acf8f1c..0000000000 --- a/meta-python/recipes-devtools/python/python3-jinja2_2.11.2.bb +++ /dev/null @@ -1,43 +0,0 @@ -DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python." - -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" - -SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0" - -PYPI_PACKAGE = "Jinja2" - -CLEANBROKEN = "1" - -inherit pypi setuptools3 ptest - -SRC_URI += " \ - file://run-ptest \ -" - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ -} - -RDEPENDS_${PN}-ptest += " \ - ${PYTHON_PN}-pytest \ - ${PYTHON_PN}-unixadmin \ -" - -RDEPENDS_${PN} += " \ - ${PYTHON_PN}-asyncio \ - ${PYTHON_PN}-crypt \ - ${PYTHON_PN}-io \ - ${PYTHON_PN}-json \ - ${PYTHON_PN}-markupsafe \ - ${PYTHON_PN}-math \ - ${PYTHON_PN}-netclient \ - ${PYTHON_PN}-numbers\ - ${PYTHON_PN}-pickle \ - ${PYTHON_PN}-pprint \ - ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading \ -" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb b/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb index 4293a63c1e..a124dd9f5b 100644 --- a/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb +++ b/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=366e2fd3c9714f162d3663b6f97cfe41" -SRC_URI = "git://github.com/keras-team/keras-applications.git" +SRC_URI = "git://github.com/keras-team/keras-applications.git;branch=master;protocol=https" SRCREV ?= "3b180cb10eda683dda7913ecee2e6487288d292d" diff --git a/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb b/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb index eacb3402d6..feb872e0a7 100644 --- a/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb +++ b/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=1744b320500cc2e3112964d00cce7aa4" -SRC_URI = "git://github.com/keras-team/keras-preprocessing.git" +SRC_URI = "git://github.com/keras-team/keras-preprocessing.git;branch=master;protocol=https" SRCREV ?= "ff90696c0416b74344b91df097b228e694339b88" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb b/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb index eb42fe978c..fd39e0fdb7 100644 --- a/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb +++ b/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb @@ -11,7 +11,7 @@ B = "${S}" SRCREV = "35687ca957b746f153a6872139462b1443f8cad1" PV = "0.0.38+git${SRCPV}" -SRC_URI = "git://github.com/mike-fabian/langtable.git;branch=master \ +SRC_URI = "git://github.com/mike-fabian/langtable.git;branch=master;protocol=https \ " inherit setuptools3 python3native diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch new file mode 100644 index 0000000000..ff3fcee6e2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch @@ -0,0 +1,94 @@ +From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Fri, 29 Jul 2022 10:16:59 +0530 +Subject: [PATCH] CVE-2022-2309 + +Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f] +CVE: CVE-2022-2309 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lxml/apihelpers.pxi | 7 ++++--- + src/lxml/iterparse.pxi | 11 ++++++----- + src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++ + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi +index 5eb3416..88a031d 100644 +--- a/src/lxml/apihelpers.pxi ++++ b/src/lxml/apihelpers.pxi +@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node): + while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE: + c_ns = c_node.nsDef + while c_ns is not NULL: +- prefix = funicodeOrNone(c_ns.prefix) +- if prefix not in nsmap: +- nsmap[prefix] = funicodeOrNone(c_ns.href) ++ if c_ns.prefix or c_ns.href: ++ prefix = funicodeOrNone(c_ns.prefix) ++ if prefix not in nsmap: ++ nsmap[prefix] = funicodeOrNone(c_ns.href) + c_ns = c_ns.next + c_node = c_node.parent + return nsmap +diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi +index 4c20506..3da7485 100644 +--- a/src/lxml/iterparse.pxi ++++ b/src/lxml/iterparse.pxi +@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node): + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- count += 1 ++ count += (c_ns.href is not NULL) + c_ns = c_ns.next + return count + +@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1: + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '', +- funicode(c_ns.href)) +- event_list.append( (u"start-ns", ns_tuple) ) +- count += 1 ++ if c_ns.href: ++ ns_tuple = (funicodeOrEmpty(c_ns.prefix), ++ funicode(c_ns.href)) ++ event_list.append( (u"start-ns", ns_tuple) ) ++ count += 1 + c_ns = c_ns.next + return count +diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py +index b997e4d..69e1bf1 100644 +--- a/src/lxml/tests/test_etree.py ++++ b/src/lxml/tests/test_etree.py +@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase): + [1,2,1,4], + counts) + ++ def test_walk_after_parse_failure(self): ++ # This used to be an issue because libxml2 can leak empty namespaces ++ # between failed parser runs. iterwalk() failed to handle such a tree. ++ try: ++ etree.XML('''<anot xmlns="1">''') ++ except etree.XMLSyntaxError: ++ pass ++ else: ++ assert False, "invalid input did not fail to parse" ++ ++ et = etree.XML('''<root> </root>''') ++ try: ++ ns = next(etree.iterwalk(et, events=('start-ns',))) ++ except StopIteration: ++ # This would be the expected result, because there was no namespace ++ pass ++ else: ++ # This is a bug in libxml2 ++ assert not ns, repr(ns) ++ + def test_itertext_comment_pi(self): + # https://bugs.launchpad.net/lxml/+bug/1844674 + XML = self.etree.XML +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-markupsafe/run-ptest b/meta-python/recipes-devtools/python/python3-markupsafe/run-ptest deleted file mode 100644 index 5cec711696..0000000000 --- a/meta-python/recipes-devtools/python/python3-markupsafe/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -pytest diff --git a/meta-python/recipes-devtools/python/python3-markupsafe_1.1.1.bb b/meta-python/recipes-devtools/python/python3-markupsafe_1.1.1.bb deleted file mode 100644 index 765e3c906b..0000000000 --- a/meta-python/recipes-devtools/python/python3-markupsafe_1.1.1.bb +++ /dev/null @@ -1,2 +0,0 @@ -inherit setuptools3 -require python-markupsafe.inc diff --git a/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb b/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb index f6d8c53d05..57d38e60ba 100644 --- a/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb @@ -32,6 +32,5 @@ RDEPENDS_${PN} = "\ python3-dateutil \ python3-kiwisolver \ python3-pytz \ + python3-pillow \ " - -BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch new file mode 100644 index 0000000000..0f0cfa7804 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch @@ -0,0 +1,26 @@ +From 7df88fc2319852ace202a650703d631200080e3b Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Thu, 30 Jun 2022 12:47:35 +1000 +Subject: [PATCH] Added GIF decompression bomb check + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/884437f8a2b953a0abd2a3b130a87fcfb438092e] +CVE: CVE-2022-45198 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/PIL/GifImagePlugin.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py +index 9d8e96f..c477fdd 100644 +--- a/src/PIL/GifImagePlugin.py ++++ b/src/PIL/GifImagePlugin.py +@@ -238,6 +238,7 @@ class GifImageFile(ImageFile.ImageFile): + x1, y1 = x0 + i16(s[4:]), y0 + i16(s[6:]) + if x1 > self.size[0] or y1 > self.size[1]: + self._size = max(x1, self.size[0]), max(y1, self.size[1]) ++ Image._decompression_bomb_check(self._size) + self.dispose_extent = x0, y0, x1, y1 + flags = i8(s[8]) + +-- +2.7.4 diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 0000000000..f9e3c49505 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch @@ -0,0 +1,31 @@ +From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 +From: Eric Soroos <eric-github@soroos.net> +Date: Fri, 27 Oct 2023 11:21:18 +0200 +Subject: [PATCH] Don't allow __ or builtins in env dictionarys for + ImageMath.eval + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/PIL/ImageMath.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 392151c10..4cea3855e 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw): + args.update(_dict) + args.update(kw) + for k, v in list(args.items()): ++ if '__' in k or hasattr(__builtins__, k): ++ msg = f"'{k}' not allowed" ++ raise ValueError(msg) ++ + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 0000000000..9c5d3fbcdc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch @@ -0,0 +1,54 @@ +From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat, 28 Oct 2023 15:58:52 +1100 +Subject: [PATCH] Allow ops + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Tests/test_imagemath.py | 4 ++++ + src/PIL/ImageMath.py | 9 +++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index da41b3a12..14a58a532 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -56,6 +56,10 @@ class TestImageMath(PillowTestCase): + pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0" + ) + ++ def test_prevent_double_underscores(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("1", {"__": None}) ++ + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) + self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 4cea3855e..776604e3f 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -258,13 +258,14 @@ def eval(expression, _dict={}, **kw): + + # build execution namespace + args = ops.copy() +- args.update(_dict) +- args.update(kw) +- for k, v in list(args.items()): +- if '__' in k or hasattr(__builtins__, k): ++ for k in list(_dict.keys()) + list(kw.keys()): ++ if "__" in k or hasattr(__builtins__, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + ++ args.update(_dict) ++ args.update(kw) ++ for k, v in list(args.items()): + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch new file mode 100644 index 0000000000..b93425ee58 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch @@ -0,0 +1,44 @@ +From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat, 30 Dec 2023 09:30:12 +1100 +Subject: [PATCH] Include further builtins + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Tests/test_imagemath.py | 4 ++++ + src/PIL/ImageMath.py | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index 14a58a532..5bba832e2 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase): + with pytest.raises(ValueError): + ImageMath.eval("1", {"__": None}) + ++ def test_prevent_builtins(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) ++ + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) + self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 776604e3f..c6bc22180 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw): + # build execution namespace + args = ops.copy() + for k in list(_dict.keys()) + list(kw.keys()): +- if "__" in k or hasattr(__builtins__, k): ++ if "__" in k or hasattr(builtins, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb index a383a3ff91..6567b32d0d 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb @@ -5,9 +5,13 @@ HOMEPAGE = "https://pillow.readthedocs.io" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=55c0f320370091249c1755c0d2b48e89" -SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x \ +SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https \ file://0001-support-cross-compiling.patch \ file://0001-explicitly-set-compile-options.patch \ + file://0001-CVE-2022-45198.patch \ + file://CVE-2023-50447-1.patch \ + file://CVE-2023-50447-2.patch \ + file://CVE-2023-50447-3.patch \ " SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6" @@ -34,5 +38,3 @@ CVE_PRODUCT = "pillow" S = "${WORKDIR}/git" RPROVIDES_${PN} += "python3-imaging" - -BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb b/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb index fc7a47a43d..53f4db14ae 100644 --- a/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb +++ b/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=faa7f82be8f220bff6156be4790344fc" -SRC_URI = "git://github.com/matze/pkgconfig.git" +SRC_URI = "git://github.com/matze/pkgconfig.git;branch=master;protocol=https" SRCREV ?= "8af0102346847e8873af8e76ab3f34ba9da806e2" RDEPENDS_${PN} = "pkgconfig \ diff --git a/meta-python/recipes-devtools/python/python3-prctl_1.7.bb b/meta-python/recipes-devtools/python/python3-prctl_1.7.bb index 54620a0661..1f179852ca 100644 --- a/meta-python/recipes-devtools/python/python3-prctl_1.7.bb +++ b/meta-python/recipes-devtools/python/python3-prctl_1.7.bb @@ -13,7 +13,7 @@ B = "${S}" SRCREV = "57cd0a7cad76e8f8792eea22ee5b5d17bae0a90f" PV = "1.7+git${SRCPV}" -SRC_URI = "git://github.com/seveas/python-prctl;branch=master \ +SRC_URI = "git://github.com/seveas/python-prctl;branch=master;protocol=https \ file://0001-support-cross-complication.patch \ " inherit setuptools3 python3native diff --git a/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb b/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb index c138822400..6636fda839 100644 --- a/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb @@ -12,5 +12,3 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-prettytable \ ${PYTHON_PN}-cmd2 \ ${PYTHON_PN}-pyparsing" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb b/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb index 1bbde6986a..9251eccebe 100644 --- a/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb +++ b/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb @@ -10,8 +10,8 @@ SRC_URI[sha256sum] = "7e8b39c5a3a10bc176682b3bd9a7422c39ca247482df198b402e8015de SRC_URI += "file://0001-rule.py-fix-missing-comma.patch" PYPI_PACKAGE = "pykwalify" + inherit setuptools3 pypi -unset _PYTHON_SYSCONFIGDATA_NAME RDEPENDS_${PN} = "\ ${PYTHON_PN}-dateutil \ diff --git a/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb b/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb index b6de42f7c1..60a26f58bc 100644 --- a/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb +++ b/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb @@ -16,5 +16,3 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-pyserial \ ${PYTHON_PN}-robotframework \ " - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch new file mode 100644 index 0000000000..3cc8bcd02a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch @@ -0,0 +1,72 @@ +From 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson <sethmichaellarson@gmail.com> +Date: Mon, 17 Feb 2020 15:34:48 -0600 +Subject: [PATCH] Raise ValueError if method contains control characters + (#1800) + +CVE: CVE-2020-26137 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b.patch] +Signed-off-by: Nikhil R <nikhil.r@kpit.com> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comment: Removed one hunk in CHANGES.rst and refresh other to remove +patch fuzz warnings + +--- + src/urllib3/connection.py | 14 ++++++++++++++ + test/with_dummyserver/test_connectionpool.py | 6 ++++++ + 2 files changed, 20 insertions(+) + +diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py +index 71e6790b1b..f7b1760938 100644 +--- a/src/urllib3/connection.py ++++ b/src/urllib3/connection.py +@@ -1,4 +1,5 @@ + from __future__ import absolute_import ++import re + import datetime + import logging + import os +@@ -58,6 +59,8 @@ port_by_scheme = {"http": 80, "https": 443} + # (ie test_recent_date is failing) update it to ~6 months before the current date. + RECENT_DATE = datetime.date(2019, 1, 1) + ++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") ++ + + class DummyConnection(object): + """Used to detect a failed ConnectionCls import.""" +@@ -184,6 +187,17 @@ class HTTPConnection(_HTTPConnection, object): + conn = self._new_conn() + self._prepare_conn(conn) + ++ def putrequest(self, method, url, *args, **kwargs): ++ """Send a request to the server""" ++ match = _CONTAINS_CONTROL_CHAR_RE.search(method) ++ if match: ++ raise ValueError( ++ "Method cannot contain non-token characters %r (found at least %r)" ++ % (method, match.group()) ++ ) ++ ++ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) ++ + def request_chunked(self, method, url, body=None, headers=None): + """ + Alternative to the common request method, which sends the +diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py +index 57f0dbd2f4..79cbd27185 100644 +--- a/test/with_dummyserver/test_connectionpool.py ++++ b/test/with_dummyserver/test_connectionpool.py +@@ -677,6 +677,12 @@ class TestConnectionPool(HTTPDummyServerTestCase): + with pytest.raises(MaxRetryError): + pool.request("GET", "/test", retries=2) + ++ @pytest.mark.parametrize("char", [" ", "\r", "\n", "\x00"]) ++ def test_invalid_method_not_allowed(self, char): ++ with pytest.raises(ValueError): ++ with HTTPConnectionPool(self.host, self.port) as pool: ++ pool.request("GET" + char, "/") ++ + def test_percent_encode_invalid_target_chars(self): + with HTTPConnectionPool(self.host, self.port) as pool: + r = pool.request("GET", "/echo_params?q=\r&k=\n \n") diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch new file mode 100644 index 0000000000..838add9555 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch @@ -0,0 +1,67 @@ +From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson <sethmichaellarson@gmail.com> +Date: Wed, 26 May 2021 10:43:12 -0500 +Subject: [PATCH] Improve performance of sub-authority splitting in URL + +CVE: CVE-2021-33503 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec.patch] +Signed-off-by: Nikhil R <nikhil.r@kpit.com> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comment: Refresh hunks to remove patch fuzz warnings + +--- + src/urllib3/util/url.py | 8 +++++--- + test/test_util.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 6ff238fe3c..81a03da9e3 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -368,7 +368,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +diff --git a/test/test_util.py b/test/test_util.py +index a5b68a084b..88409e2d6c 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -425,6 +425,16 @@ class TestUtil(object): + query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a", + ), + ), ++ # Tons of '@' causing backtracking ++ ("https://" + ("@" * 10000) + "[", False), ++ ( ++ "https://user:" + ("@" * 10000) + "example.com", ++ Url( ++ scheme="https", ++ auth="user:" + ("%40" * 9999), ++ host="example.com", ++ ), ++ ), + ] + + @pytest.mark.parametrize("url, expected_url", url_vulnerabilities) diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb index 8d987a1f30..73399d9439 100644 --- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb @@ -8,8 +8,10 @@ SRC_URI[sha256sum] = "f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e4 inherit pypi setuptools3 -SRC_URI += "file://CVE-2020-7212.patch" - +SRC_URI += "file://CVE-2020-7212.patch \ + file://CVE-2020-26137.patch \ + file://CVE-2021-33503.patch \ + " RDEPENDS_${PN} += "\ ${PYTHON_PN}-certifi \ ${PYTHON_PN}-cryptography \ diff --git a/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb b/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb index 025b2eea9d..af7f49fdcb 100644 --- a/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb +++ b/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9d66b41bc2a080e7174acc5dffecd752" -SRC_URI = "git://github.com/pypa/wheel.git" +SRC_URI = "git://github.com/pypa/wheel.git;branch=master;protocol=https" SRCREV ?= "b227ddd5beaba49294017d061d501f6d433393b0" diff --git a/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb b/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb index 2b5b253b5d..52ae91484a 100644 --- a/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb +++ b/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "9b5ad2d5b5df159963e1c6c24523e1dfe1f71435" -SRC_URI = "git://github.com/rhinstaller/blivet;branch=3.1-release \ +SRC_URI = "git://github.com/rhinstaller/blivet;branch=3.1-release;protocol=https \ file://0001-comment-out-selinux.patch \ file://0002-run_program-support-timeout.patch \ file://0003-support-infinit-timeout.patch \ diff --git a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb index 92402bee56..809d09e3ad 100644 --- a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb +++ b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "67ec0b7a0e065ba24ab87963409bfb21b2aac6dd" -SRC_URI = "git://github.com/rhinstaller/blivet-gui;branch=master \ +SRC_URI = "git://github.com/rhinstaller/blivet-gui;branch=master;protocol=https \ file://0001-Fix-return-type-of-BlivetUtils.get_disks-1658893.patch \ " diff --git a/meta-python/recipes-extended/python-cson/python3-cson_git.bb b/meta-python/recipes-extended/python-cson/python3-cson_git.bb index 5c74c7a307..8e8f3fb2a6 100644 --- a/meta-python/recipes-extended/python-cson/python3-cson_git.bb +++ b/meta-python/recipes-extended/python-cson/python3-cson_git.bb @@ -8,12 +8,11 @@ SECTION = "devel/python" LIC_FILES_CHKSUM = "file://LICENSE;md5=7709d2635e63ab96973055a23c2a4cac" SRCREV = "f3f2898c44bb16b951d3e9f2fbf6d1c4158edda2" -SRC_URI = "git://github.com/gt3389b/python-cson.git" +SRC_URI = "git://github.com/gt3389b/python-cson.git;branch=master;protocol=https" S = "${WORKDIR}/git" -RDEPENDS_${PN}_class-native = "" -DEPENDS_append_class-native = " python-native " +RDEPENDS_${PN} = "python3-json" inherit setuptools3 diff --git a/meta-python/recipes-extended/python-pyparted/python-pyparted.inc b/meta-python/recipes-extended/python-pyparted/python-pyparted.inc index 97054487f9..2322cf1092 100644 --- a/meta-python/recipes-extended/python-pyparted/python-pyparted.inc +++ b/meta-python/recipes-extended/python-pyparted/python-pyparted.inc @@ -12,7 +12,7 @@ DEPENDS += "parted" # upstream only publishes releases in github archives which are discouraged SRCREV = "481510c10866851844b19f3d2ffcdaa37efc0cf8" -SRC_URI = "git://github.com/rhinstaller/pyparted.git;protocol=https" +SRC_URI = "git://github.com/rhinstaller/pyparted.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb b/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb index f5d5debe11..d83a4a20b1 100644 --- a/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb +++ b/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb @@ -19,7 +19,7 @@ RDEPENDS_packagegroup-meta-webserver = "\ " RDEPENDS_packagegroup-meta-webserver-http = "\ - nginx monkey hiawatha nostromo apache-websocket \ + nginx monkey hiawatha apache-websocket \ apache2 sthttpd \ ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "cherokee", "", d)} \ " diff --git a/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb b/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb index 3cbab22c3d..0b4bab5753 100644 --- a/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb +++ b/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb @@ -11,7 +11,7 @@ RDEPENDS_${PN} += "apache2" # Original (github.com/disconnect/apache-websocket) is dead since 2012, the # fork contains patches from the modules ML and fixes CVE compliance issues -SRC_URI = "git://github.com/jchampio/apache-websocket.git" +SRC_URI = "git://github.com/jchampio/apache-websocket.git;branch=master;protocol=https" SRCREV = "6968083264b90b89b1b9597a4ca03ba29e7ea2e1" diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch index 6c0286457c..50775be533 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch @@ -1,44 +1,43 @@ -From d2cedfa3394365689a3f7c8cfe8e0dd56b29bed9 Mon Sep 17 00:00:00 2001 +From ba9015386cbc044e111d7c266f13e2be045e4bf1 Mon Sep 17 00:00:00 2001 From: Koen Kooi <koen.kooi@linaro.org> Date: Tue, 17 Jun 2014 09:10:57 +0200 Subject: [PATCH] configure: use pkg-config for PCRE detection -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Koen Kooi <koen.kooi@linaro.org> --- - configure.in | 27 +++++---------------------- - 1 file changed, 5 insertions(+), 22 deletions(-) + configure.in | 26 +++++--------------------- + 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/configure.in b/configure.in -index 9feaceb..dc6ea15 100644 +index 38c1d0a..c799aec 100644 --- a/configure.in +++ b/configure.in -@@ -215,28 +215,11 @@ fi - AC_ARG_WITH(pcre, - APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library)) +@@ -221,27 +221,11 @@ else if which $with_pcre 2>/dev/null; then :; else + fi + fi --AC_PATH_PROG(PCRE_CONFIG, pcre-config, false) --if test -d "$with_pcre" && test -x "$with_pcre/bin/pcre-config"; then -- PCRE_CONFIG=$with_pcre/bin/pcre-config --elif test -x "$with_pcre"; then -- PCRE_CONFIG=$with_pcre --fi +-AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config], +- [`which $with_pcre 2>/dev/null`], $with_pcre) - --if test "$PCRE_CONFIG" != "false"; then +-if test "x$PCRE_CONFIG" != "x"; then - if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else -- AC_MSG_ERROR([Did not find pcre-config script at $PCRE_CONFIG]) +- AC_MSG_ERROR([Did not find working script at $PCRE_CONFIG]) - fi - case `$PCRE_CONFIG --version` in +- [1[0-9].*]) +- AC_DEFINE(HAVE_PCRE2, 1, [Detected PCRE2]) +- ;; - [[1-5].*]) - AC_MSG_ERROR([Need at least pcre version 6.0]) - ;; - esac - AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) - APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) -- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) +- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) -else -- AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) +- AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) -fi +PKG_CHECK_MODULES([PCRE], [libpcre], [ + AC_DEFINE([HAVE_PCRE], [1], [Define if you have PCRE library]) @@ -49,5 +48,5 @@ index 9feaceb..dc6ea15 100644 AC_MSG_NOTICE([]) -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch index 85fe6ae4bd..bbe8b325b5 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch @@ -1,8 +1,8 @@ -From 7df207ad4d0dcda2ad36e5642296e0dec7e13647 Mon Sep 17 00:00:00 2001 +From 5074ab3425e5f1e01fd9cfa2d9b7300ea1b3f38f Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory - is configured +Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory is + configured Bump up the core size limit if CoreDumpDirectory is configured. @@ -11,16 +11,15 @@ Upstream-Status: Pending Note: upstreaming was discussed but there are competing desires; there are portability oddities here too. - --- server/core.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/server/core.c b/server/core.c -index eacb54f..7aa841f 100644 +index 090e397..3020090 100644 --- a/server/core.c +++ b/server/core.c -@@ -4965,6 +4965,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte +@@ -5107,6 +5107,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, apr_pool_cleanup_null); @@ -47,5 +46,5 @@ index eacb54f..7aa841f 100644 } -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch index 081a02baa3..adb728ba31 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch @@ -1,8 +1,8 @@ -From ddd560024a6d526187fd126f306b59533ca3f7e2 Mon Sep 17 00:00:00 2001 +From 9c03ed909b8da0e1a288f53fda535a3f15bcf791 Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: do not export apr/apr-util symbols when using - shared libapr +Subject: [PATCH] apache2: do not export apr/apr-util symbols when using shared + libapr There is no need to "suck in" the apr/apr-util symbols when using a shared libapr{,util}, it just bloats the symbol table; so don't. @@ -10,13 +10,12 @@ a shared libapr{,util}, it just bloats the symbol table; so don't. Upstream-Status: Pending Note: EXPORT_DIRS change is conditional on using shared apr - --- server/Makefile.in | 3 --- 1 file changed, 3 deletions(-) diff --git a/server/Makefile.in b/server/Makefile.in -index 1fa3344..f635d76 100644 +index 8111877..8c0c396 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -60,9 +60,6 @@ export_files: @@ -30,5 +29,5 @@ index 1fa3344..f635d76 100644 exports.c: export_files -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch index 78a04d9af4..3b080f54f6 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch @@ -1,4 +1,4 @@ -From dfa834ebd449df299f54e98f0fb3a7bb4008fb03 Mon Sep 17 00:00:00 2001 +From e47cc405eadcbe37a579c375e824e20a5c53bfad Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 Subject: [PATCH] Log the SELinux context at startup. @@ -15,10 +15,10 @@ Note: unlikely to be any interest in this upstream 2 files changed, 31 insertions(+) diff --git a/configure.in b/configure.in -index dc6ea15..caa6f54 100644 +index ea6cec3..92b74b7 100644 --- a/configure.in +++ b/configure.in -@@ -466,6 +466,11 @@ getloadavg +@@ -491,6 +491,11 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -31,10 +31,10 @@ index dc6ea15..caa6f54 100644 [AC_TRY_RUN(#define _GNU_SOURCE #include <unistd.h> diff --git a/server/core.c b/server/core.c -index 7aa841f..79f34db 100644 +index 4da7209..d3ca25b 100644 --- a/server/core.c +++ b/server/core.c -@@ -59,6 +59,10 @@ +@@ -65,6 +65,10 @@ #include <unistd.h> #endif @@ -44,8 +44,8 @@ index 7aa841f..79f34db 100644 + /* LimitRequestBody handling */ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4984,6 +4988,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ +@@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } #endif @@ -74,6 +74,3 @@ index 7aa841f..79f34db 100644 return OK; } --- -2.7.4 - diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch index 47320a9ee5..7b4a1b932b 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch @@ -1,4 +1,4 @@ -From 7db1b650bb4b01a5194a34cd7573f915656a595b Mon Sep 17 00:00:00 2001 +From e59aab44a28c654e518080693d573ca472ca5a08 Mon Sep 17 00:00:00 2001 From: Yulong Pei <Yulong.pei@windriver.com> Date: Thu, 1 Sep 2011 01:03:14 +0800 Subject: [PATCH] replace lynx to curl in apachectl script @@ -48,5 +48,5 @@ index 3281c2e..6ab4ba5 100644 *) $HTTPD "$@" -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch index 227d04064b..dbaf01d2c5 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch @@ -1,4 +1,4 @@ -From 4f4d7d6b88b6e440263ebeb22dfb40c52bb30fd8 Mon Sep 17 00:00:00 2001 +From fb09f1fe4525058b16b3d4edb2e3ae693154026e Mon Sep 17 00:00:00 2001 From: Zhenhua Luo <zhenhua.luo@freescale.com> Date: Fri, 25 Jan 2013 18:10:50 +0800 Subject: [PATCH] apache2: fix the race issue of parallel installation @@ -31,5 +31,5 @@ index e2d5bb6..dde5ae0 100755 pathcomp="$pathcomp/" done -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch index fed6b5010b..3ff6894409 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch @@ -1,4 +1,4 @@ -From 964ef2c1af74984602f46e7db938d3b95b148385 Mon Sep 17 00:00:00 2001 +From 0686564f64130f230870db8b4846973e3edbd646 Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Mon, 1 Dec 2014 02:08:27 -0500 Subject: [PATCH] apache2: allow to disable selinux support @@ -11,10 +11,10 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/configure.in b/configure.in -index caa6f54..eab2090 100644 +index 76811e7..4df3ff3 100644 --- a/configure.in +++ b/configure.in -@@ -466,10 +466,16 @@ getloadavg +@@ -491,10 +491,16 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -36,5 +36,5 @@ index caa6f54..eab2090 100644 AC_CACHE_CHECK([for gettid()], ac_cv_gettid, [AC_TRY_RUN(#define _GNU_SOURCE -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/0008-Fix-perl-install-directory-to-usr-bin.patch index 61669e3641..dc5b5c88f2 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0008-Fix-perl-install-directory-to-usr-bin.patch @@ -1,4 +1,4 @@ -From 5412077c398dec74321388fe6e593a44c4c80de6 Mon Sep 17 00:00:00 2001 +From 443d15b91d4e4979d92405610303797663f31102 Mon Sep 17 00:00:00 2001 From: echo <fei.geng@windriver.com> Date: Tue, 28 Apr 2009 03:11:06 +0000 Subject: [PATCH] Fix perl install directory to /usr/bin @@ -11,16 +11,15 @@ error: bad interpreter: No such file or directory Signed-off-by: Changqing Li <changqing.li@windriver.com> - --- configure.in | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/configure.in b/configure.in -index d828512..be7bd25 100644 +index 4df3ff3..4eeb609 100644 --- a/configure.in +++ b/configure.in -@@ -855,10 +855,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", +@@ -903,10 +903,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types", [Location of the MIME types config file, relative to the Apache root directory]) @@ -32,3 +31,6 @@ index d828512..be7bd25 100644 AC_SUBST(perlbin) dnl If we are running on BSD/OS, we need to use the BSD .include syntax. +-- +2.25.1 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-support-apxs.in-force-destdir-to-be-empty-string.patch b/meta-webserver/recipes-httpd/apache2/apache2/0009-support-apxs.in-force-destdir-to-be-empty-string.patch index bdedd146c2..d1f9bb0f43 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-support-apxs.in-force-destdir-to-be-empty-string.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0009-support-apxs.in-force-destdir-to-be-empty-string.patch @@ -1,10 +1,10 @@ -From 705c0a7e9d9c1e64ee09fc0b54f6b5a4e27de1ca Mon Sep 17 00:00:00 2001 +From 43a4ad04e0d8771267a73f98b5918bcd10b167ec Mon Sep 17 00:00:00 2001 From: Trevor Gamblin <trevor.gamblin@windriver.com> Date: Fri, 17 Apr 2020 06:31:35 -0700 Subject: [PATCH] support/apxs.in: force destdir to be empty string -If destdir is assigned to anything other than the empty string, the -search path for apache2 config files is appended to itself, and +If destdir is assigned to anything other than the empty string, the +search path for apache2 config files is appended to itself, and related packages like apache-websocket will be unable to locate them: | cannot open @@ -24,7 +24,7 @@ Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/support/apxs.in b/support/apxs.in -index 65e1288527..9d96e33728 100644 +index b2705fa..781f2ab 100644 --- a/support/apxs.in +++ b/support/apxs.in @@ -28,10 +28,12 @@ package apxs; @@ -45,5 +45,5 @@ index 65e1288527..9d96e33728 100644 my %config_vars = (); -- -2.17.1 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch b/meta-webserver/recipes-httpd/apache2/apache2/0010-apache2-do-not-use-relative-path-for-gen_test_char.patch index 82e9e8c35f..ced8469f3a 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0010-apache2-do-not-use-relative-path-for-gen_test_char.patch @@ -1,16 +1,15 @@ -From b62c4cd2295c98b2ebe12641e5f01590bd96ae94 Mon Sep 17 00:00:00 2001 +From d9993cbc33565c0acd29b0127d651dafa2a16975 Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 Subject: [PATCH] apache2: do not use relative path for gen_test_char Upstream-Status: Inappropriate [embedded specific] - --- server/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/Makefile.in b/server/Makefile.in -index f635d76..0d48924 100644 +index 8c0c396..3544f55 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -29,7 +29,7 @@ gen_test_char: $(gen_test_char_OBJECTS) @@ -23,5 +22,5 @@ index f635d76..0d48924 100644 util.lo: test_char.h -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.58.bb index 197cb83e64..746db4ac0a 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.58.bb @@ -13,12 +13,12 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0005-replace-lynx-to-curl-in-apachectl-script.patch \ file://0006-apache2-fix-the-race-issue-of-parallel-installation.patch \ file://0007-apache2-allow-to-disable-selinux-support.patch \ - file://apache-configure_perlbin.patch \ - file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \ + file://0008-Fix-perl-install-directory-to-usr-bin.patch \ + file://0009-support-apxs.in-force-destdir-to-be-empty-string.patch \ " -SRC_URI_append_class-target = " \ - file://0008-apache2-do-not-use-relative-path-for-gen_test_char.patch \ +SRC_URI:append:class-target = " \ + file://0010-apache2-do-not-use-relative-path-for-gen_test_char.patch \ file://init \ file://apache2-volatile.conf \ file://apache2.service \ @@ -26,8 +26,7 @@ SRC_URI_append_class-target = " \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" -SRC_URI[md5sum] = "7d661ea5e736dac5e2761d9f49fe8361" -SRC_URI[sha256sum] = "740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea" +SRC_URI[sha256sum] = "fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5" S = "${WORKDIR}/httpd-${PV}" diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb index 7424467946..864e3ac7b1 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb @@ -9,7 +9,7 @@ DEPENDS = "unzip-native libpcre openssl mysql5 ${@bb.utils.contains('DISTRO_FEAT SRCREV = "9a75e65b876bcc376cb6b379dca1f7ce4a055c59" PV = "1.2.104+git${SRCPV}" -SRC_URI = "git://github.com/cherokee/webserver \ +SRC_URI = "git://github.com/cherokee/webserver;branch=master;protocol=https \ file://cherokee.init \ file://cherokee.service \ file://cherokee-install-configured.py-once.patch \ diff --git a/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb b/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb index ed3df19390..2503f53166 100644 --- a/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb +++ b/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb @@ -6,7 +6,7 @@ DEPENDS = "libxml2 libxslt virtual/crypt" SECTION = "net" -SRC_URI = "http://hiawatha-webserver.org/files/${BP}.tar.gz \ +SRC_URI = "http://hiawatha-webserver.org/files/hiawatha-10/${BP}.tar.gz \ file://hiawatha-init \ file://hiawatha.service " diff --git a/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch b/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch new file mode 100644 index 0000000000..7dd1e721c0 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch @@ -0,0 +1,92 @@ +From 2b9667f36551406169e3e2a6a774466ac70a83c0 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Tue, 10 Oct 2023 15:13:39 +0300 +Subject: [PATCH] HTTP/2: per-iteration stream handling limit. + +To ensure that attempts to flood servers with many streams are detected +early, a limit of no more than 2 * max_concurrent_streams new streams per one +event loop iteration was introduced. This limit is applied even if +max_concurrent_streams is not yet reached - for example, if corresponding +streams are handled synchronously or reset. + +Further, refused streams are now limited to maximum of max_concurrent_streams +and 100, similarly to priority_limit initial value, providing some tolerance +to clients trying to open several streams at the connection start, yet +low tolerance to flooding attempts. + +Upstream-Status: Backport +[https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9] + +Reduces the impact of HTTP/2 Stream Reset flooding in the nginx product +(CVE-2023-44487). + +See: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ + +This patch only reduces the impact and does not completely mitigate the CVE +in question, the latter being due to a design flaw in the HTTP/2 protocol +itself. For transparancy reasons I therefore opted to not mark the +CVE as resolved, so that integrators can decide for themselves, wheither to +enable HTTP/2 support or allow HTTP/1.1 connections only. + +Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> +--- + src/http/v2/ngx_http_v2.c | 15 +++++++++++++++ + src/http/v2/ngx_http_v2.h | 2 ++ + 2 files changed, 17 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 3611a2e50..291677aca 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); + + h2c->blocked = 1; ++ h2c->new_streams = 0; + + if (c->close) { + c->close = 0; +@@ -1320,6 +1321,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + goto rst_stream; + } + ++ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many streams at once"); ++ ++ status = NGX_HTTP_V2_REFUSED_STREAM; ++ goto rst_stream; ++ } ++ + if (!h2c->settings_ack + && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) + && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) +@@ -1385,6 +1394,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + + rst_stream: + ++ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many refused streams"); ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); ++ } ++ + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 349229711..6a7aaa62c 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -125,6 +125,8 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t new_streams; ++ ngx_uint_t refused_streams; + ngx_uint_t priority_limit; + + ngx_uint_t pushing; +-- +2.42.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch new file mode 100644 index 0000000000..45653e422e --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch @@ -0,0 +1,39 @@ +From 6511195c023bf03e0fb19a36f41f42f4edde6e88 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov <ru@nginx.com> +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. + +Upstream-Status: Backport +CVE: CVE-2019-20372 + +Reference to upstream patch: +https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 4ffb2cc8..76e67058 100644 +--- a/src/http/ngx_http_special_response.c ++++ b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { +-- +2.17.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch new file mode 100644 index 0000000000..a708033775 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch @@ -0,0 +1,46 @@ +From 7199ebc203f74fd9e44595474de6bdc41740c5cf Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Tue, 25 May 2021 15:17:36 +0300 +Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy(). + +Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH. + +Upstream-Status: Backport +CVE: CVE-2021-23017 + +Reference to upstream patch: +https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/core/ngx_resolver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index 79390701..63b26193 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4008,15 +4008,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { +-- +2.17.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 0000000000..3fab8bac6c --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch @@ -0,0 +1,89 @@ +From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Wed, 19 May 2021 03:13:31 +0300 +Subject: [PATCH 1/1] Mail: max_errors directive. + +Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands +in Exim, specifies the number of errors after which the connection is closed. +Index: nginx-1.16.1/src/mail/ngx_mail.h +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail.h ++++ nginx-1.16.1/src/mail/ngx_mail.h +@@ -113,6 +113,8 @@ typedef struct { + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -225,6 +227,7 @@ typedef struct { + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c ++++ nginx-1.16.1/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_comm + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +Index: nginx-1.16.1/src/mail/ngx_mail_handler.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c ++++ nginx-1.16.1/src/mail/ngx_mail_handler.c +@@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch new file mode 100644 index 0000000000..8a8a35b2dd --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch @@ -0,0 +1,319 @@ +From 9563a2a08c007d78a6796b0232201bf7dc4a8103 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 16 Nov 2022 10:28:24 +0530 +Subject: [PATCH] CVE-2022-41741, CVE-2022-41742 + +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea] +CVE: CVE-2022-41741, CVE-2022-41742 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Mp4: disabled duplicate atoms. + +Most atoms should not appear more than once in a container. Previously, +this was not enforced by the module, which could result in worker process +crash, memory corruption and disclosure. +--- + src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++ + 1 file changed, 147 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 618bf78..7b7184d 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -1076,6 +1076,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_ERROR; + } + ++ if (mp4->ftyp_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + ftyp_atom = ngx_palloc(mp4->request->pool, atom_size); +@@ -1134,6 +1140,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_DECLINED; + } + ++ if (mp4->moov_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module); + + if (atom_data_size > mp4->buffer_size) { +@@ -1201,6 +1213,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom"); + ++ if (mp4->mdat_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + data = &mp4->mdat_data_buf; + data->file = &mp4->file; + data->in_file = 1; +@@ -1327,6 +1345,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom"); + ++ if (mp4->mvhd_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_header = ngx_mp4_atom_header(mp4); + mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header; + mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header; +@@ -1592,6 +1616,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->tkhd_size = atom_size; + + ngx_mp4_set_32value(tkhd_atom->size, atom_size); +@@ -1630,6 +1661,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->mdia_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1753,6 +1790,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->mdhd_size = atom_size; + trak->timescale = timescale; + +@@ -1795,6 +1839,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->hdlr_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1823,6 +1873,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->minf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1866,6 +1922,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->vmhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1897,6 +1962,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->smhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1928,6 +2002,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->dinf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1956,6 +2036,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stbl_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2024,6 +2110,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stsd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2092,6 +2184,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->time_to_sample_entries = entries; + + atom = &trak->stts_atom_buf; +@@ -2297,6 +2396,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sync sample entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sync_samples_entries = entries; + + atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t); +@@ -2495,6 +2601,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "composition offset entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->composition_offset_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t); +@@ -2698,6 +2811,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_to_chunk_entries = entries; + + atom = &trak->stsc_atom_buf; +@@ -3030,6 +3150,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample uniform size:%uD, entries:%uD", size, entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_sizes_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t); +@@ -3199,6 +3326,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint32_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->stco_atom_buf; +@@ -3383,6 +3520,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint64_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->co64_atom_buf; +-- +2.25.1 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index de080a2b01..903a62b3d7 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -22,6 +22,8 @@ SRC_URI = " \ file://nginx-volatile.conf \ file://nginx.service \ file://nginx-fix-pidfile.patch \ + file://CVE-2021-23017.patch \ + file://CVE-2021-3618.patch \ " inherit siteinfo update-rc.d useradd systemd diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb index 207642575b..39cfd3a67b 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb @@ -4,3 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" SRC_URI[md5sum] = "45a80f75336c980d240987badc3dcf60" SRC_URI[sha256sum] = "f11c2a6dd1d3515736f0324857957db2de98be862461b5a542a3ac6188dbe32b" + +SRC_URI += "file://CVE-2019-20372.patch \ + file://CVE-2022-41741-CVE-2022-41742.patch \ + file://0001-HTTP-2-per-iteration-stream-handling-limit.patch \ + " diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb index 3d2a5edd26..9fd6d73428 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb @@ -8,3 +8,5 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" SRC_URI[md5sum] = "29cd861a13aae69a058cbabaae86177b" SRC_URI[sha256sum] = "97d23ecf6d5150b30e284b40e8a6f7e3bb5be6b601e373a4d013768d5a25965b" + +SRC_URI += "file://0001-HTTP-2-per-iteration-stream-handling-limit.patch" diff --git a/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb b/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb index d13ef74feb..deb76ac95c 100644 --- a/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb +++ b/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb @@ -62,3 +62,6 @@ pkg_postinst_${PN} () { fi fi } + +PNBLACKLIST[nostromo] ?= "Host site for URI is dead" +EXCLUDE_FROM_WORLD = "1" diff --git a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb index 560dd9b6e4..ab479d9ce5 100644 --- a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb +++ b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://src/thttpd.c;beginline=1;endline=26;md5=0c5762c2c34dc DEPENDS += "base-passwd virtual/crypt" SRCREV = "2845bf5bff2b820d2336c8c8061cbfc5f271e720" -SRC_URI = "git://github.com/blueness/${BPN} \ +SRC_URI = "git://github.com/blueness/${BPN};branch=master;protocol=https \ file://thttpd.service \ file://thttpd.conf \ file://init" diff --git a/meta-webserver/recipes-support/fcgi/fcgi_git.bb b/meta-webserver/recipes-support/fcgi/fcgi_git.bb index 6df58ad3c4..61ef6073e0 100644 --- a/meta-webserver/recipes-support/fcgi/fcgi_git.bb +++ b/meta-webserver/recipes-support/fcgi/fcgi_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.TERMS;md5=e3aacac3a647af6e7e31f181cda0a06a" SRCREV = "382aa2b0d53a87c27f2f647dfaf670375ba0b85f" PV = "2.4.2" -SRC_URI = "git://github.com/FastCGI-Archives/fcgi2.git;protocol=https \ +SRC_URI = "git://github.com/FastCGI-Archives/fcgi2.git;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_git.bb b/meta-webserver/recipes-webadmin/netdata/netdata_git.bb index d6a5ce0662..ab9de70b3b 100644 --- a/meta-webserver/recipes-webadmin/netdata/netdata_git.bb +++ b/meta-webserver/recipes-webadmin/netdata/netdata_git.bb @@ -3,7 +3,7 @@ SUMMARY = "Real-time performance monitoring" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://LICENSE;md5=fc9b848046ef54b5eaee6071947abd24" -SRC_URI = "git://github.com/firehol/netdata.git;protocol=https \ +SRC_URI = "git://github.com/firehol/netdata.git;protocol=https;branch=master \ file://0002-Makefiles-does-not-build-contrib-dir.patch \ " SRCREV = "588ce5a7b18999dfa66698cd3a2f005f7a3c31cf" diff --git a/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb b/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb index 64582f28f2..d76b0835fb 100644 --- a/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb +++ b/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "gtk+3 glib-2.0 xfce4-dev-tools-native intltool-native" -SRC_URI = "git://github.com/ib/xarchiver.git" +SRC_URI = "git://github.com/ib/xarchiver.git;branch=master;protocol=https" SRCREV = "9ab958a4023b62b43972c55a3143ff0722bd88a6" PV = "0.5.4.14" S = "${WORKDIR}/git" diff --git a/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb b/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb index 2ef81f286d..58e628deca 100644 --- a/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb +++ b/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb @@ -8,7 +8,7 @@ inherit xfce-app features_check REQUIRED_DISTRO_FEATURES = "polkit" SRC_URI = " \ - git://github.com/ncopa/${BPN}.git \ + git://github.com/ncopa/${BPN}.git;branch=master;protocol=https \ " SRCREV = "6d3282cc1734c305850d48f5bf4b4d94e88885e9" S = "${WORKDIR}/git" diff --git a/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb b/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb index 2dd3f01d8c..145a9cc400 100644 --- a/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb +++ b/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=75859989545e37968a99b631ef42722e" DEPENDS = "glib-2.0-native libxfce4ui" -SRC_URI = "git://github.com/schnitzeltony/xfce4-datetime-setter.git;protocol=https \ +SRC_URI = "git://github.com/schnitzeltony/xfce4-datetime-setter.git;protocol=https;branch=master \ file://fix-inner-dependency.patch \ " SRCREV = "5c7a73a3824b03b91719e05e2604b97c7a72d50f" diff --git a/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb b/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb index 8dfb2e626d..531f3d5cd0 100644 --- a/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb +++ b/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb @@ -9,7 +9,7 @@ DEPENDS += "exo-native libwnck3 xfconf" PV = "0.1.0+gitr${SRCPV}" -SRC_URI = "git://github.com/schnitzeltony/xfce4-closebutton-plugin.git;branch=master" +SRC_URI = "git://github.com/schnitzeltony/xfce4-closebutton-plugin.git;branch=master;protocol=https" SRCREV = "6ed5c3ee1ba7103ca854c5e81fb2c1220b913a40" S = "${WORKDIR}/git" |