Blame SOURCES/gnutls-3.7.3-fips-pkcs12.patch

118cf7
From 7d8d8feb502ddb20a0d115fa3f63403c849a7168 Mon Sep 17 00:00:00 2001
118cf7
From: Daiki Ueno <ueno@gnu.org>
118cf7
Date: Thu, 10 Feb 2022 16:43:08 +0100
118cf7
Subject: [PATCH 1/2] pkcs12: mark MAC generation and verification as FIPS
118cf7
 non-approved
118cf7
118cf7
Signed-off-by: Daiki Ueno <ueno@gnu.org>
118cf7
---
118cf7
 lib/x509/pkcs12.c     | 39 +++++++++++++++++++++++++---
118cf7
 tests/pkcs12_encode.c | 59 +++++++++++++++++++++++++++++++++++++++++++
118cf7
 2 files changed, 94 insertions(+), 4 deletions(-)
118cf7
118cf7
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
118cf7
index a8f7d8f956..11b9da3ac9 100644
118cf7
--- a/lib/x509/pkcs12.c
118cf7
+++ b/lib/x509/pkcs12.c
118cf7
@@ -286,13 +286,26 @@ gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12,
118cf7
 		     gnutls_x509_crt_fmt_t format, void *output_data,
118cf7
 		     size_t * output_data_size)
118cf7
 {
118cf7
+	int ret;
118cf7
+
118cf7
 	if (pkcs12 == NULL) {
118cf7
 		gnutls_assert();
118cf7
 		return GNUTLS_E_INVALID_REQUEST;
118cf7
 	}
118cf7
 
118cf7
-	return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
118cf7
-				       output_data, output_data_size);
118cf7
+	ret = _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
118cf7
+				      output_data, output_data_size);
118cf7
+
118cf7
+	if (ret < 0) {
118cf7
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
118cf7
+	} else {
118cf7
+		/* PKCS#12 export is always non-approved, because the MAC
118cf7
+		 * calculation involves non-approved KDF (PKCS#12 KDF) and
118cf7
+		 * without MAC the protection is insufficient.
118cf7
+		 */
118cf7
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
118cf7
+	}
118cf7
+	return ret;
118cf7
 }
118cf7
 
118cf7
 /**
118cf7
@@ -317,13 +330,25 @@ int
118cf7
 gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12,
118cf7
 		      gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
118cf7
 {
118cf7
+	int ret;
118cf7
+
118cf7
 	if (pkcs12 == NULL) {
118cf7
 		gnutls_assert();
118cf7
 		return GNUTLS_E_INVALID_REQUEST;
118cf7
 	}
118cf7
 
118cf7
-	return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
118cf7
-					out);
118cf7
+	ret = _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
118cf7
+				       out);
118cf7
+	if (ret < 0) {
118cf7
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
118cf7
+	} else {
118cf7
+		/* PKCS#12 export is always non-approved, because the MAC
118cf7
+		 * calculation involves non-approved KDF (PKCS#12 KDF) and
118cf7
+		 * without MAC the protection is insufficient.
118cf7
+		 */
118cf7
+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
118cf7
+	}
118cf7
+	return ret;
118cf7
 }
118cf7
 
118cf7
 static int oid2bag(const char *oid)
118cf7
@@ -1025,9 +1050,12 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m
118cf7
 		goto cleanup;
118cf7
 	}
118cf7
 
118cf7
+	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
118cf7
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
118cf7
 	return 0;
118cf7
 
118cf7
       cleanup:
118cf7
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
118cf7
 	_gnutls_free_datum(&tmp);
118cf7
 	return result;
118cf7
 }
118cf7
@@ -1203,8 +1231,11 @@ pkcs12_try_gost:
118cf7
 		goto cleanup;
118cf7
 	}
118cf7
 
118cf7
+	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
118cf7
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
118cf7
 	result = 0;
118cf7
  cleanup:
118cf7
+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
118cf7
 	_gnutls_free_datum(&tmp);
118cf7
 	_gnutls_free_datum(&salt);
118cf7
 	return result;
118cf7
diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
118cf7
index 3b0e84ef13..b8f7d17267 100644
118cf7
--- a/tests/pkcs12_encode.c
118cf7
+++ b/tests/pkcs12_encode.c
118cf7
@@ -70,6 +70,29 @@ static void tls_log_func(int level, const char *str)
118cf7
 	fprintf(stderr, "|<%d>| %s", level, str);
118cf7
 }
118cf7
 
118cf7
+#define FIPS_PUSH_CONTEXT() do {					\
118cf7
+	if (gnutls_fips140_mode_enabled()) {				\
118cf7
+		ret = gnutls_fips140_push_context(fips_context);	\
118cf7
+		if (ret < 0) {						\
118cf7
+			fail("gnutls_fips140_push_context failed\n");	\
118cf7
+		}							\
118cf7
+	}								\
118cf7
+} while (0)
118cf7
+
118cf7
+#define FIPS_POP_CONTEXT(state) do {					\
118cf7
+	if (gnutls_fips140_mode_enabled()) {				\
118cf7
+		ret = gnutls_fips140_pop_context();			\
118cf7
+		if (ret < 0) {						\
118cf7
+			fail("gnutls_fips140_context_pop failed\n");	\
118cf7
+		}							\
118cf7
+		fips_state = gnutls_fips140_get_operation_state(fips_context); \
118cf7
+		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
118cf7
+			fail("operation state is not " # state " (%d)\n", \
118cf7
+			     fips_state);				\
118cf7
+		}							\
118cf7
+	}								\
118cf7
+} while (0)
118cf7
+
118cf7
 void doit(void)
118cf7
 {
118cf7
 	gnutls_pkcs12_t pkcs12;
118cf7
@@ -82,6 +105,8 @@ void doit(void)
118cf7
 	char outbuf[10240];
118cf7
 	size_t size;
118cf7
 	unsigned tests, i;
118cf7
+	gnutls_fips140_context_t fips_context;
118cf7
+	gnutls_fips140_operation_state_t fips_state;
118cf7
 
118cf7
 	ret = global_init();
118cf7
 	if (ret < 0) {
118cf7
@@ -93,6 +118,11 @@ void doit(void)
118cf7
 	if (debug)
118cf7
 		gnutls_global_set_log_level(4711);
118cf7
 
118cf7
+	ret = gnutls_fips140_context_init(&fips_context);
118cf7
+	if (ret < 0) {
118cf7
+		fail("Cannot initialize FIPS context\n");
118cf7
+	}
118cf7
+
118cf7
 	/* Read certs. */
118cf7
 	ret = gnutls_x509_crt_init(&client);
118cf7
 	if (ret < 0) {
118cf7
@@ -196,6 +226,8 @@ void doit(void)
118cf7
 		gnutls_pkcs12_bag_deinit(bag);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_PUSH_CONTEXT();
118cf7
+
118cf7
 	/* MAC the structure, export and print. */
118cf7
 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, "pass");
118cf7
 	if (ret < 0) {
118cf7
@@ -203,36 +235,60 @@ void doit(void)
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_POP_CONTEXT(NOT_APPROVED);
118cf7
+
118cf7
+	FIPS_PUSH_CONTEXT();
118cf7
+
118cf7
 	ret = gnutls_pkcs12_verify_mac(pkcs12, "pass");
118cf7
 	if (ret < 0) {
118cf7
 		fprintf(stderr, "verify_mac: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_POP_CONTEXT(NOT_APPROVED);
118cf7
+
118cf7
+	FIPS_PUSH_CONTEXT();
118cf7
+
118cf7
 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA256, "passwd");
118cf7
 	if (ret < 0) {
118cf7
 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_POP_CONTEXT(NOT_APPROVED);
118cf7
+
118cf7
+	FIPS_PUSH_CONTEXT();
118cf7
+
118cf7
 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd");
118cf7
 	if (ret < 0) {
118cf7
 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_POP_CONTEXT(NOT_APPROVED);
118cf7
+
118cf7
+	FIPS_PUSH_CONTEXT();
118cf7
+
118cf7
 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
118cf7
 	if (ret < 0) {
118cf7
 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_POP_CONTEXT(NOT_APPROVED);
118cf7
+
118cf7
+	FIPS_PUSH_CONTEXT();
118cf7
+
118cf7
 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
118cf7
 	if (ret < 0) {
118cf7
 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_POP_CONTEXT(NOT_APPROVED);
118cf7
+
118cf7
+	FIPS_PUSH_CONTEXT();
118cf7
+
118cf7
 	size = sizeof(outbuf);
118cf7
 	ret =
118cf7
 	    gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
118cf7
@@ -242,10 +298,13 @@ void doit(void)
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
+	FIPS_POP_CONTEXT(NOT_APPROVED);
118cf7
+
118cf7
 	if (debug)
118cf7
 		fwrite(outbuf, size, 1, stdout);
118cf7
 
118cf7
 	/* Cleanup. */
118cf7
+	gnutls_fips140_context_deinit(fips_context);
118cf7
 	gnutls_pkcs12_deinit(pkcs12);
118cf7
 	gnutls_x509_crt_deinit(client);
118cf7
 	gnutls_x509_crt_deinit(ca);
118cf7
-- 
118cf7
2.34.1
118cf7
118cf7
118cf7
From e7f9267342bc2231149a640163c82b63c86f1dfd Mon Sep 17 00:00:00 2001
118cf7
From: Daiki Ueno <ueno@gnu.org>
118cf7
Date: Thu, 10 Feb 2022 17:35:13 +0100
118cf7
Subject: [PATCH 2/2] _gnutls_pkcs_raw_{decrypt,encrypt}_data: use public
118cf7
 crypto API
118cf7
118cf7
These functions previously used the internal crypto
118cf7
API (_gnutls_cipher_*) which does not have algorithm checks for FIPS.
118cf7
118cf7
This change switches the code to use the public crypto
118cf7
API (gnutls_cipher_*) to trigger proper state transitions under FIPS
118cf7
mode.
118cf7
118cf7
Signed-off-by: Daiki Ueno <ueno@gnu.org>
118cf7
---
118cf7
 lib/x509/pkcs7-crypt.c | 36 +++++++++++-----------------
118cf7
 tests/pkcs12_encode.c  | 54 +++++++++++++++++++++++++++---------------
118cf7
 2 files changed, 49 insertions(+), 41 deletions(-)
118cf7
118cf7
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
118cf7
index 4cce52ecf0..2dc5bc4df0 100644
118cf7
--- a/lib/x509/pkcs7-crypt.c
118cf7
+++ b/lib/x509/pkcs7-crypt.c
118cf7
@@ -1130,8 +1130,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
118cf7
 	gnutls_datum_t enc = { NULL, 0 };
118cf7
 	uint8_t *key = NULL;
118cf7
 	gnutls_datum_t dkey, d_iv;
118cf7
-	cipher_hd_st ch;
118cf7
-	int ch_init = 0;
118cf7
+	gnutls_cipher_hd_t ch = NULL;
118cf7
 	int key_size, ret;
118cf7
 	unsigned int pass_len = 0;
118cf7
 	const struct pkcs_cipher_schema_st *p;
118cf7
@@ -1237,8 +1236,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
118cf7
 	d_iv.data = (uint8_t *) enc_params->iv;
118cf7
 	d_iv.size = enc_params->iv_size;
118cf7
 
118cf7
-	ret =
118cf7
-	    _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
118cf7
+	ret = gnutls_cipher_init(&ch, ce->id, &dkey, &d_iv);
118cf7
 
118cf7
 	gnutls_free(key);
118cf7
 
118cf7
@@ -1247,9 +1245,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
118cf7
 		goto error;
118cf7
 	}
118cf7
 
118cf7
-	ch_init = 1;
118cf7
-
118cf7
-	ret = _gnutls_cipher_decrypt(&ch, enc.data, enc.size);
118cf7
+	ret = gnutls_cipher_decrypt(ch, enc.data, enc.size);
118cf7
 	if (ret < 0) {
118cf7
 		gnutls_assert();
118cf7
 		ret = GNUTLS_E_DECRYPTION_FAILED;
118cf7
@@ -1281,7 +1277,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
118cf7
 		decrypted_data->size = enc.size;
118cf7
 	}
118cf7
 
118cf7
-	_gnutls_cipher_deinit(&ch);
118cf7
+	gnutls_cipher_deinit(ch);
118cf7
 
118cf7
 	ret = 0;
118cf7
 
118cf7
@@ -1294,8 +1290,9 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
118cf7
 	gnutls_free(password);
118cf7
 	gnutls_free(enc.data);
118cf7
 	gnutls_free(key);
118cf7
-	if (ch_init != 0)
118cf7
-		_gnutls_cipher_deinit(&ch);
118cf7
+	if (ch) {
118cf7
+		gnutls_cipher_deinit(ch);
118cf7
+	}
118cf7
 	return ret;
118cf7
 }
118cf7
 
118cf7
@@ -1725,8 +1722,7 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
118cf7
 	int data_size;
118cf7
 	uint8_t *data = NULL;
118cf7
 	gnutls_datum_t d_iv;
118cf7
-	cipher_hd_st ch;
118cf7
-	int ch_init = 0;
118cf7
+	gnutls_cipher_hd_t ch = NULL;
118cf7
 	uint8_t pad, pad_size;
118cf7
 	const cipher_entry_st *ce;
118cf7
 
118cf7
@@ -1756,18 +1752,13 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
118cf7
 
118cf7
 	d_iv.data = (uint8_t *) enc_params->iv;
118cf7
 	d_iv.size = enc_params->iv_size;
118cf7
-	result =
118cf7
-	    _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher),
118cf7
-				key, &d_iv, 1);
118cf7
-
118cf7
+	result = gnutls_cipher_init(&ch, enc_params->cipher, key, &d_iv);
118cf7
 	if (result < 0) {
118cf7
 		gnutls_assert();
118cf7
 		goto error;
118cf7
 	}
118cf7
 
118cf7
-	ch_init = 1;
118cf7
-
118cf7
-	result = _gnutls_cipher_encrypt(&ch, data, data_size);
118cf7
+	result = gnutls_cipher_encrypt(ch, data, data_size);
118cf7
 	if (result < 0) {
118cf7
 		gnutls_assert();
118cf7
 		goto error;
118cf7
@@ -1776,13 +1767,14 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
118cf7
 	encrypted->data = data;
118cf7
 	encrypted->size = data_size;
118cf7
 
118cf7
-	_gnutls_cipher_deinit(&ch);
118cf7
+	gnutls_cipher_deinit(ch);
118cf7
 
118cf7
 	return 0;
118cf7
 
118cf7
  error:
118cf7
 	gnutls_free(data);
118cf7
-	if (ch_init != 0)
118cf7
-		_gnutls_cipher_deinit(&ch);
118cf7
+	if (ch) {
118cf7
+		gnutls_cipher_deinit(ch);
118cf7
+	}
118cf7
 	return result;
118cf7
 }
118cf7
diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
118cf7
index b8f7d17267..78f6f41b48 100644
118cf7
--- a/tests/pkcs12_encode.c
118cf7
+++ b/tests/pkcs12_encode.c
118cf7
@@ -104,9 +104,17 @@ void doit(void)
118cf7
 	int ret, indx;
118cf7
 	char outbuf[10240];
118cf7
 	size_t size;
118cf7
-	unsigned tests, i;
118cf7
+	unsigned i;
118cf7
 	gnutls_fips140_context_t fips_context;
118cf7
 	gnutls_fips140_operation_state_t fips_state;
118cf7
+	size_t n_tests = 0;
118cf7
+	struct tests {
118cf7
+		const char *name;
118cf7
+		gnutls_x509_crt_t crt;
118cf7
+		const char *friendly_name;
118cf7
+		unsigned bag_encrypt_flags;
118cf7
+		int bag_encrypt_expected;
118cf7
+	} tests[2];
118cf7
 
118cf7
 	ret = global_init();
118cf7
 	if (ret < 0) {
118cf7
@@ -157,21 +165,34 @@ void doit(void)
118cf7
 		exit(1);
118cf7
 	}
118cf7
 
118cf7
-	/* Generate and add PKCS#12 cert bags. */
118cf7
-	if (!gnutls_fips140_mode_enabled()) {
118cf7
-		tests = 2; /* include RC2 */
118cf7
+	tests[n_tests].name = "3DES";
118cf7
+	tests[n_tests].crt = client;
118cf7
+	tests[n_tests].friendly_name = "client";
118cf7
+	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS8_USE_PKCS12_3DES;
118cf7
+	tests[n_tests].bag_encrypt_expected = 0;
118cf7
+	n_tests++;
118cf7
+
118cf7
+	tests[n_tests].name = "RC2-40";
118cf7
+	tests[n_tests].crt = ca;
118cf7
+	tests[n_tests].friendly_name = "ca";
118cf7
+	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
118cf7
+	if (gnutls_fips140_mode_enabled()) {
118cf7
+		tests[n_tests].bag_encrypt_expected =
118cf7
+			GNUTLS_E_UNWANTED_ALGORITHM;
118cf7
 	} else {
118cf7
-		tests = 1;
118cf7
+		tests[n_tests].bag_encrypt_expected = 0;
118cf7
 	}
118cf7
+	n_tests++;
118cf7
 
118cf7
-	for (i = 0; i < tests; i++) {
118cf7
+	/* Generate and add PKCS#12 cert bags. */
118cf7
+	for (i = 0; i < n_tests; i++) {
118cf7
 		ret = gnutls_pkcs12_bag_init(&bag;;
118cf7
 		if (ret < 0) {
118cf7
 			fprintf(stderr, "bag_init: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 			exit(1);
118cf7
 		}
118cf7
 
118cf7
-		ret = gnutls_pkcs12_bag_set_crt(bag, i == 0 ? client : ca);
118cf7
+		ret = gnutls_pkcs12_bag_set_crt(bag, tests[i].crt);
118cf7
 		if (ret < 0) {
118cf7
 			fprintf(stderr, "set_crt: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 			exit(1);
118cf7
@@ -180,16 +201,14 @@ void doit(void)
118cf7
 		indx = ret;
118cf7
 
118cf7
 		ret = gnutls_pkcs12_bag_set_friendly_name(bag, indx,
118cf7
-							  i ==
118cf7
-							  0 ? "client" :
118cf7
-							  "ca");
118cf7
+							  tests[i].friendly_name);
118cf7
 		if (ret < 0) {
118cf7
 			fprintf(stderr, "set_friendly_name: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
 			exit(1);
118cf7
 		}
118cf7
 
118cf7
 		size = sizeof(key_id_buf);
118cf7
-		ret = gnutls_x509_crt_get_key_id(i == 0 ? client : ca, 0,
118cf7
+		ret = gnutls_x509_crt_get_key_id(tests[i].crt, 0,
118cf7
 						 key_id_buf, &size);
118cf7
 		if (ret < 0) {
118cf7
 			fprintf(stderr, "get_key_id: %s (%d)\n", gnutls_strerror(ret), ret);
118cf7
@@ -206,14 +225,11 @@ void doit(void)
118cf7
 		}
118cf7
 
118cf7
 		ret = gnutls_pkcs12_bag_encrypt(bag, "pass",
118cf7
-						i ==
118cf7
-						0 ?
118cf7
-						GNUTLS_PKCS8_USE_PKCS12_3DES
118cf7
-						:
118cf7
-						GNUTLS_PKCS_USE_PKCS12_RC2_40);
118cf7
-		if (ret < 0) {
118cf7
-			fprintf(stderr, "bag_encrypt: %d: %s", ret,
118cf7
-				i == 0 ? "3DES" : "RC2-40");
118cf7
+						tests[i].bag_encrypt_flags);
118cf7
+		if (ret != tests[i].bag_encrypt_expected) {
118cf7
+			fprintf(stderr, "bag_encrypt: returned %d, expected %d: %s", ret,
118cf7
+				tests[i].bag_encrypt_expected,
118cf7
+				tests[i].name);
118cf7
 			exit(1);
118cf7
 		}
118cf7
 
118cf7
-- 
118cf7
2.34.1
118cf7