summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/ssl_both.c4
-rw-r--r--src/lib/libssl/ssl_cert.c6
-rw-r--r--src/lib/libssl/ssl_clnt.c30
-rw-r--r--src/lib/libssl/ssl_sigalgs.c10
-rw-r--r--src/lib/libssl/ssl_srvr.c32
-rw-r--r--src/lib/libssl/t1_lib.c11
6 files changed, 55 insertions, 38 deletions
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 6e38463e27..62652f8406 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_both.c,v 1.38 2021/10/23 13:36:03 jsing Exp $ */ 1/* $OpenBSD: ssl_both.c,v 1.39 2021/11/26 16:41:42 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -534,7 +534,7 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
534 if (pk == NULL) 534 if (pk == NULL)
535 goto err; 535 goto err;
536 536
537 i = pk->type; 537 i = EVP_PKEY_id(pk);
538 if (i == EVP_PKEY_RSA) { 538 if (i == EVP_PKEY_RSA) {
539 ret = SSL_PKEY_RSA; 539 ret = SSL_PKEY_RSA;
540 } else if (i == EVP_PKEY_EC) { 540 } else if (i == EVP_PKEY_EC) {
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 4c39925c60..e7de31949f 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.86 2021/10/23 20:42:50 beck Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.87 2021/11/26 16:41:42 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -229,9 +229,7 @@ ssl_cert_dup(CERT *cert)
229 229
230 if (cert->pkeys[i].privatekey != NULL) { 230 if (cert->pkeys[i].privatekey != NULL) {
231 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey; 231 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
232 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1, 232 EVP_PKEY_up_ref(ret->pkeys[i].privatekey);
233 CRYPTO_LOCK_EVP_PKEY);
234
235 switch (i) { 233 switch (i) {
236 /* 234 /*
237 * If there was anything special to do for 235 * If there was anything special to do for
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 02bd3d5dfe..6fe15dcf1d 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.118 2021/11/19 18:53:10 tb Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.119 2021/11/26 16:41:42 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1925,6 +1925,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1925 unsigned char *enc_pms = NULL; 1925 unsigned char *enc_pms = NULL;
1926 uint16_t max_legacy_version; 1926 uint16_t max_legacy_version;
1927 EVP_PKEY *pkey = NULL; 1927 EVP_PKEY *pkey = NULL;
1928 RSA *rsa;
1928 int ret = -1; 1929 int ret = -1;
1929 int enc_len; 1930 int enc_len;
1930 CBB epms; 1931 CBB epms;
@@ -1934,8 +1935,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1934 */ 1935 */
1935 1936
1936 pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509); 1937 pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509);
1937 if (pkey == NULL || pkey->type != EVP_PKEY_RSA || 1938 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
1938 pkey->pkey.rsa == NULL) {
1939 SSLerror(s, ERR_R_INTERNAL_ERROR); 1939 SSLerror(s, ERR_R_INTERNAL_ERROR);
1940 goto err; 1940 goto err;
1941 } 1941 }
@@ -1953,12 +1953,12 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1953 pms[1] = max_legacy_version & 0xff; 1953 pms[1] = max_legacy_version & 0xff;
1954 arc4random_buf(&pms[2], sizeof(pms) - 2); 1954 arc4random_buf(&pms[2], sizeof(pms) - 2);
1955 1955
1956 if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) { 1956 if ((enc_pms = malloc(RSA_size(rsa))) == NULL) {
1957 SSLerror(s, ERR_R_MALLOC_FAILURE); 1957 SSLerror(s, ERR_R_MALLOC_FAILURE);
1958 goto err; 1958 goto err;
1959 } 1959 }
1960 1960
1961 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa, 1961 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
1962 RSA_PKCS1_PADDING); 1962 RSA_PKCS1_PADDING);
1963 if (enc_len <= 0) { 1963 if (enc_len <= 0) {
1964 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT); 1964 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
@@ -2385,6 +2385,7 @@ static int
2385ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) 2385ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2386{ 2386{
2387 CBB cbb_signature; 2387 CBB cbb_signature;
2388 RSA *rsa;
2388 unsigned char data[EVP_MAX_MD_SIZE]; 2389 unsigned char data[EVP_MAX_MD_SIZE];
2389 unsigned char *signature = NULL; 2390 unsigned char *signature = NULL;
2390 unsigned int signature_len; 2391 unsigned int signature_len;
@@ -2395,8 +2396,10 @@ ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2395 goto err; 2396 goto err;
2396 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) 2397 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2397 goto err; 2398 goto err;
2398 if (RSA_sign(NID_md5_sha1, data, data_len, signature, 2399 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
2399 &signature_len, pkey->pkey.rsa) <= 0 ) { 2400 goto err;
2401 if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len,
2402 rsa) <= 0 ) {
2400 SSLerror(s, ERR_R_RSA_LIB); 2403 SSLerror(s, ERR_R_RSA_LIB);
2401 goto err; 2404 goto err;
2402 } 2405 }
@@ -2418,6 +2421,7 @@ static int
2418ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) 2421ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2419{ 2422{
2420 CBB cbb_signature; 2423 CBB cbb_signature;
2424 EC_KEY *eckey;
2421 unsigned char data[EVP_MAX_MD_SIZE]; 2425 unsigned char data[EVP_MAX_MD_SIZE];
2422 unsigned char *signature = NULL; 2426 unsigned char *signature = NULL;
2423 unsigned int signature_len; 2427 unsigned int signature_len;
@@ -2427,8 +2431,10 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2427 goto err; 2431 goto err;
2428 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) 2432 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2429 goto err; 2433 goto err;
2434 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
2435 goto err;
2430 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, 2436 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2431 signature, &signature_len, pkey->pkey.ec)) { 2437 signature, &signature_len, eckey)) {
2432 SSLerror(s, ERR_R_ECDSA_LIB); 2438 SSLerror(s, ERR_R_ECDSA_LIB);
2433 goto err; 2439 goto err;
2434 } 2440 }
@@ -2543,15 +2549,15 @@ ssl3_send_client_verify(SSL *s)
2543 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg, 2549 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2544 &cert_verify)) 2550 &cert_verify))
2545 goto err; 2551 goto err;
2546 } else if (pkey->type == EVP_PKEY_RSA) { 2552 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2547 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify)) 2553 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
2548 goto err; 2554 goto err;
2549 } else if (pkey->type == EVP_PKEY_EC) { 2555 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2550 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) 2556 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2551 goto err; 2557 goto err;
2552#ifndef OPENSSL_NO_GOST 2558#ifndef OPENSSL_NO_GOST
2553 } else if (pkey->type == NID_id_GostR3410_94 || 2559 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2554 pkey->type == NID_id_GostR3410_2001) { 2560 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2555 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify)) 2561 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
2556 goto err; 2562 goto err;
2557#endif 2563#endif
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 765f39d4a9..95c624af9c 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.37 2021/06/29 19:36:14 jsing Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.38 2021/11/26 16:41:42 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -246,7 +246,7 @@ static const struct ssl_sigalg *
246ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey) 246ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
247{ 247{
248 /* Default signature algorithms used for TLSv1.2 and earlier. */ 248 /* Default signature algorithms used for TLSv1.2 and earlier. */
249 switch (pkey->type) { 249 switch (EVP_PKEY_id(pkey)) {
250 case EVP_PKEY_RSA: 250 case EVP_PKEY_RSA:
251 if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) 251 if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION)
252 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); 252 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
@@ -267,12 +267,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
267{ 267{
268 if (sigalg == NULL || pkey == NULL) 268 if (sigalg == NULL || pkey == NULL)
269 return 0; 269 return 0;
270 if (sigalg->key_type != pkey->type) 270 if (sigalg->key_type != EVP_PKEY_id(pkey))
271 return 0; 271 return 0;
272 272
273 /* RSA PSS must have a sufficiently large RSA key. */ 273 /* RSA PSS must have a sufficiently large RSA key. */
274 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) { 274 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
275 if (pkey->type != EVP_PKEY_RSA || 275 if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
276 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) 276 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
277 return 0; 277 return 0;
278 } 278 }
@@ -286,7 +286,7 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
286 return 0; 286 return 0;
287 287
288 /* Ensure that curve matches for EC keys. */ 288 /* Ensure that curve matches for EC keys. */
289 if (pkey->type == EVP_PKEY_EC) { 289 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
290 if (sigalg->curve_nid == 0) 290 if (sigalg->curve_nid == 0)
291 return 0; 291 return 0;
292 if (EC_GROUP_get_curve_name(EC_KEY_get0_group( 292 if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 13644c1625..6b0d85b15b 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.124 2021/11/19 18:53:10 tb Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.125 2021/11/26 16:41:42 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1727,13 +1727,11 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
1727 fakekey[1] = S3I(s)->hs.peer_legacy_version & 0xff; 1727 fakekey[1] = S3I(s)->hs.peer_legacy_version & 0xff;
1728 1728
1729 pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; 1729 pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
1730 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || 1730 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
1731 (pkey->pkey.rsa == NULL)) {
1732 al = SSL_AD_HANDSHAKE_FAILURE; 1731 al = SSL_AD_HANDSHAKE_FAILURE;
1733 SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE); 1732 SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE);
1734 goto fatal_err; 1733 goto fatal_err;
1735 } 1734 }
1736 rsa = pkey->pkey.rsa;
1737 1735
1738 pms_len = RSA_size(rsa); 1736 pms_len = RSA_size(rsa);
1739 if (pms_len < SSL_MAX_MASTER_KEY_LENGTH) 1737 if (pms_len < SSL_MAX_MASTER_KEY_LENGTH)
@@ -2226,10 +2224,17 @@ ssl3_get_cert_verify(SSL *s)
2226 SSLerror(s, SSL_R_BAD_SIGNATURE); 2224 SSLerror(s, SSL_R_BAD_SIGNATURE);
2227 goto fatal_err; 2225 goto fatal_err;
2228 } 2226 }
2229 } else if (pkey->type == EVP_PKEY_RSA) { 2227 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2228 RSA *rsa;
2229
2230 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
2231 al = SSL_AD_INTERNAL_ERROR;
2232 SSLerror(s, ERR_R_EVP_LIB);
2233 goto fatal_err;
2234 }
2230 verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify, 2235 verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify,
2231 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), 2236 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature),
2232 CBS_len(&signature), pkey->pkey.rsa); 2237 CBS_len(&signature), rsa);
2233 if (verify < 0) { 2238 if (verify < 0) {
2234 al = SSL_AD_DECRYPT_ERROR; 2239 al = SSL_AD_DECRYPT_ERROR;
2235 SSLerror(s, SSL_R_BAD_RSA_DECRYPT); 2240 SSLerror(s, SSL_R_BAD_RSA_DECRYPT);
@@ -2240,19 +2245,26 @@ ssl3_get_cert_verify(SSL *s)
2240 SSLerror(s, SSL_R_BAD_RSA_SIGNATURE); 2245 SSLerror(s, SSL_R_BAD_RSA_SIGNATURE);
2241 goto fatal_err; 2246 goto fatal_err;
2242 } 2247 }
2243 } else if (pkey->type == EVP_PKEY_EC) { 2248 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2249 EC_KEY *eckey;
2250
2251 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
2252 al = SSL_AD_INTERNAL_ERROR;
2253 SSLerror(s, ERR_R_EVP_LIB);
2254 goto fatal_err;
2255 }
2244 verify = ECDSA_verify(0, 2256 verify = ECDSA_verify(0,
2245 &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), 2257 &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),
2246 SHA_DIGEST_LENGTH, CBS_data(&signature), 2258 SHA_DIGEST_LENGTH, CBS_data(&signature),
2247 CBS_len(&signature), pkey->pkey.ec); 2259 CBS_len(&signature), eckey);
2248 if (verify <= 0) { 2260 if (verify <= 0) {
2249 al = SSL_AD_DECRYPT_ERROR; 2261 al = SSL_AD_DECRYPT_ERROR;
2250 SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); 2262 SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
2251 goto fatal_err; 2263 goto fatal_err;
2252 } 2264 }
2253#ifndef OPENSSL_NO_GOST 2265#ifndef OPENSSL_NO_GOST
2254 } else if (pkey->type == NID_id_GostR3410_94 || 2266 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2255 pkey->type == NID_id_GostR3410_2001) { 2267 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2256 unsigned char sigbuf[128]; 2268 unsigned char sigbuf[128];
2257 unsigned int siglen = sizeof(sigbuf); 2269 unsigned int siglen = sizeof(sigbuf);
2258 EVP_PKEY_CTX *pctx; 2270 EVP_PKEY_CTX *pctx;
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 092331aae1..78532054a0 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.183 2021/10/25 10:01:46 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.184 2021/11/26 16:41:42 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -572,16 +572,17 @@ tls1_check_ec_server_key(SSL *s)
572 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 572 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
573 uint16_t curve_id; 573 uint16_t curve_id;
574 uint8_t comp_id; 574 uint8_t comp_id;
575 EC_KEY *eckey;
575 EVP_PKEY *pkey; 576 EVP_PKEY *pkey;
576 int rv; 577 int rv;
577 578
578 if (cpk->x509 == NULL || cpk->privatekey == NULL) 579 if (cpk->x509 == NULL || cpk->privatekey == NULL)
579 return (0); 580 return (0);
580 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 581 if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL)
581 return (0); 582 return (0);
582 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 583 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
583 EVP_PKEY_free(pkey); 584 return (0);
584 if (rv != 1) 585 if ((rv = tls1_set_ec_id(&curve_id, &comp_id, eckey)) != 1)
585 return (0); 586 return (0);
586 587
587 return tls1_check_ec_key(s, &curve_id, &comp_id); 588 return tls1_check_ec_key(s, &curve_id, &comp_id);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-03 11:08:09 +0000