Rebase to 1.13rc2

Do not enable tls1.3 by default Related: BZ#1737471
2019-08-30 10:17:00 +02:00 · 2019-08-30 10:17:00 +02:00 · e45411af09
commit e45411af09
parent af8d391cb2
5 changed files with 77 additions and 327 deletions
--- a/.gitignore
+++ b/.gitignore
@ -72,3 +72,4 @@
 /go1.12.7.src.tar.gz
 /go1.13beta1.src.tar.gz
 /go1.13rc1.src.tar.gz
 /go1.13rc2.src.tar.gz
--- a/0001-release-branch.go1.13-net-http-update-bundled-golang.patch
+++ b/0001-release-branch.go1.13-net-http-update-bundled-golang.patch
@ -1,323 +0,0 @@
 From 5c379a437e904eb1f94296fa9d45276cd6e4f5a9 Mon Sep 17 00:00:00 2001
 From: Filippo Valsorda <filippo@golang.org>
 Date: Tue, 13 Aug 2019 16:29:01 -0400
 Subject: [PATCH] [release-branch.go1.13] net/http: update bundled
 golang.org/x/net/http2 to import security fix
 Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
 the following security fix.
    commit 74dc4d7220e7acc4e100824340f3e66577424772
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400
    http2: limit number of control frames in server send queue
    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.
    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.
    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.
    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
 This change was generated with cmd/go and cmd/bundle:
 $ go get -u golang.org/x/net
 $ go mod tidy
 $ go mod vendor
 $ go generate net/http
 Fixes CVE-2019-9512 and CVE-2019-9514
 Fixes #33606
 Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
 Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
 (cherry picked from commit 145e193131eb486077b66009beb051aba07c52a5)
 Reviewed-on: https://go-review.googlesource.com/c/go/+/191618
 Run-TryBot: Filippo Valsorda <filippo@golang.org>
 TryBot-Result: Gobot Gobot <gobot@golang.org>
 ---
 src/go.mod                                    |  2 +-
 src/go.sum                                    |  4 +-
 src/net/http/h2_bundle.go                     | 56 +++++++++++++++----
 .../x/net/lif/zsys_solaris_amd64.go           |  2 +-
 .../golang.org/x/net/route/zsys_darwin.go     |  2 +-
 .../golang.org/x/net/route/zsys_dragonfly.go  |  2 +-
 .../x/net/route/zsys_freebsd_386.go           |  2 +-
 .../x/net/route/zsys_freebsd_amd64.go         |  2 +-
 .../x/net/route/zsys_freebsd_arm.go           |  2 +-
 .../golang.org/x/net/route/zsys_netbsd.go     |  2 +-
 .../golang.org/x/net/route/zsys_openbsd.go    |  2 +-
 src/vendor/modules.txt                        |  2 +-
 12 files changed, 58 insertions(+), 22 deletions(-)
 diff --git a/src/go.mod b/src/go.mod
 index 0d7d70f014..90af2a7ea0 100644
 --- a/src/go.mod
 +++ b/src/go.mod
@@ -4,7 +4,7 @@ go 1.12
 require (
 	golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8
 -	golang.org/x/net v0.0.0-20190607181551-461777fb6f67
 +	golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
 	golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 // indirect
 	golang.org/x/text v0.3.2 // indirect
 )
 diff --git a/src/go.sum b/src/go.sum
 index 363ee7ae23..e358118e4c 100644
 --- a/src/go.sum
 +++ b/src/go.sum
@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 -golang.org/x/net v0.0.0-20190607181551-461777fb6f67 h1:rJJxsykSlULwd2P2+pg/rtnwN2FrWp4IuCxOSyS0V00=
 -golang.org/x/net v0.0.0-20190607181551-461777fb6f67/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA=
 +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 h1:2WjIC11WRITGlVWmyLXKjzIVj1ZwoWZ//tadeUUV6/o=
 diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
 index 173622fc8b..53cc5bd1b8 100644
 --- a/src/net/http/h2_bundle.go
 +++ b/src/net/http/h2_bundle.go
@@ -3611,10 +3611,11 @@ func (p *http2pipe) Done() <-chan struct{} {
 }
 const (
 -	http2prefaceTimeout        = 10 * time.Second
 -	http2firstSettingsTimeout  = 2 * time.Second // should be in-flight with preface anyway
 -	http2handlerChunkWriteSize = 4 << 10
 -	http2defaultMaxStreams     = 250 // TODO: make this 100 as the GFE seems to?
 +	http2prefaceTimeout         = 10 * time.Second
 +	http2firstSettingsTimeout   = 2 * time.Second // should be in-flight with preface anyway
 +	http2handlerChunkWriteSize  = 4 << 10
 +	http2defaultMaxStreams      = 250 // TODO: make this 100 as the GFE seems to?
 +	http2maxQueuedControlFrames = 10000
 )
 var (
@@ -3722,6 +3723,15 @@ func (s *http2Server) maxConcurrentStreams() uint32 {
 	return http2defaultMaxStreams
 }
 +// maxQueuedControlFrames is the maximum number of control frames like
 +// SETTINGS, PING and RST_STREAM that will be queued for writing before
 +// the connection is closed to prevent memory exhaustion attacks.
 +func (s *http2Server) maxQueuedControlFrames() int {
 +	// TODO: if anybody asks, add a Server field, and remember to define the
 +	// behavior of negative values.
 +	return http2maxQueuedControlFrames
 +}
 +
 type http2serverInternalState struct {
 	mu          sync.Mutex
 	activeConns map[*http2serverConn]struct{}
@@ -4065,6 +4075,7 @@ type http2serverConn struct {
 	sawFirstSettings            bool // got the initial SETTINGS frame after the preface
 	needToSendSettingsAck       bool
 	unackedSettings             int    // how many SETTINGS have we sent without ACKs?
 +	queuedControlFrames         int    // control frames in the writeSched queue
 	clientMaxStreams            uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit)
 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
 	curClientStreams            uint32 // number of open streams initiated by the client
@@ -4456,6 +4467,14 @@ func (sc *http2serverConn) serve() {
 			}
 		}
 +		// If the peer is causing us to generate a lot of control frames,
 +		// but not reading them from us, assume they are trying to make us
 +		// run out of memory.
 +		if sc.queuedControlFrames > sc.srv.maxQueuedControlFrames() {
 +			sc.vlogf("http2: too many control frames in send queue, closing connection")
 +			return
 +		}
 +
 		// Start the shutdown timer after sending a GOAWAY. When sending GOAWAY
 		// with no error code (graceful shutdown), don't start the timer until
 		// all open streams have been completed.
@@ -4657,6 +4676,14 @@ func (sc *http2serverConn) writeFrame(wr http2FrameWriteRequest) {
 	}
 	if !ignoreWrite {
 +		if wr.isControl() {
 +			sc.queuedControlFrames++
 +			// For extra safety, detect wraparounds, which should not happen,
 +			// and pull the plug.
 +			if sc.queuedControlFrames < 0 {
 +				sc.conn.Close()
 +			}
 +		}
 		sc.writeSched.Push(wr)
 	}
 	sc.scheduleFrameWrite()
@@ -4774,10 +4801,8 @@ func (sc *http2serverConn) wroteFrame(res http2frameWriteResult) {
 // If a frame is already being written, nothing happens. This will be called again
 // when the frame is done being written.
 //
 -// If a frame isn't being written we need to send one, the best frame
 -// to send is selected, preferring first things that aren't
 -// stream-specific (e.g. ACKing settings), and then finding the
 -// highest priority stream.
 +// If a frame isn't being written and we need to send one, the best frame
 +// to send is selected by writeSched.
 //
 // If a frame isn't being written and there's nothing else to send, we
 // flush the write buffer.
@@ -4805,6 +4830,9 @@ func (sc *http2serverConn) scheduleFrameWrite() {
 		}
 		if !sc.inGoAway || sc.goAwayCode == http2ErrCodeNo {
 			if wr, ok := sc.writeSched.Pop(); ok {
 +				if wr.isControl() {
 +					sc.queuedControlFrames--
 +				}
 				sc.startFrameWrite(wr)
 				continue
 			}
@@ -5097,6 +5125,8 @@ func (sc *http2serverConn) processSettings(f *http2SettingsFrame) error {
 	if err := f.ForeachSetting(sc.processSetting); err != nil {
 		return err
 	}
 +	// TODO: judging by RFC 7540, Section 6.5.3 each SETTINGS frame should be
 +	// acknowledged individually, even if multiple are received before the ACK.
 	sc.needToSendSettingsAck = true
 	sc.scheduleFrameWrite()
 	return nil
@@ -7451,7 +7481,7 @@ func (cc *http2ClientConn) roundTrip(req *Request) (res *Response, gotErrAfterRe
 		req.Method != "HEAD" {
 		// Request gzip only, not deflate. Deflate is ambiguous and
 		// not as universally supported anyway.
 -		// See: http://www.gzip.org/zlib/zlib_faq.html#faq38
 +		// See: https://zlib.net/zlib_faq.html#faq39
 		//
 		// Note that we don't request this for HEAD requests,
 		// due to a bug in nginx:
@@ -9445,7 +9475,7 @@ type http2WriteScheduler interface {
 	// Pop dequeues the next frame to write. Returns false if no frames can
 	// be written. Frames with a given wr.StreamID() are Pop'd in the same
 -	// order they are Push'd.
 +	// order they are Push'd. No frames should be discarded except by CloseStream.
 	Pop() (wr http2FrameWriteRequest, ok bool)
 }
@@ -9489,6 +9519,12 @@ func (wr http2FrameWriteRequest) StreamID() uint32 {
 	return wr.stream.id
 }
 +// isControl reports whether wr is a control frame for MaxQueuedControlFrames
 +// purposes. That includes non-stream frames and RST_STREAM frames.
 +func (wr http2FrameWriteRequest) isControl() bool {
 +	return wr.stream == nil
 +}
 +
 // DataSize returns the number of flow control bytes that must be consumed
 // to write this entire frame. This is 0 for non-DATA frames.
 func (wr http2FrameWriteRequest) DataSize() int {
 diff --git a/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go b/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
 index b5e999bec3..d7a70d4ed9 100644
 --- a/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
 +++ b/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_solaris.go
 package lif
 diff --git a/src/vendor/golang.org/x/net/route/zsys_darwin.go b/src/vendor/golang.org/x/net/route/zsys_darwin.go
 index 4e2e1ab090..19e4133f7d 100644
 --- a/src/vendor/golang.org/x/net/route/zsys_darwin.go
 +++ b/src/vendor/golang.org/x/net/route/zsys_darwin.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_darwin.go
 package route
 diff --git a/src/vendor/golang.org/x/net/route/zsys_dragonfly.go b/src/vendor/golang.org/x/net/route/zsys_dragonfly.go
 index 719c88d11f..8ed2d4d550 100644
 --- a/src/vendor/golang.org/x/net/route/zsys_dragonfly.go
 +++ b/src/vendor/golang.org/x/net/route/zsys_dragonfly.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_dragonfly.go
 package route
 diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go
 index b03bc01f65..f36aaadb59 100644
 --- a/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go
 +++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_freebsd.go
 package route
 diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go
 index 0b675b3d3f..4c639b82e4 100644
 --- a/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go
 +++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_freebsd.go
 package route
 diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go
 index 58f8ea16f2..710c1472b6 100644
 --- a/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go
 +++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_freebsd.go
 package route
 diff --git a/src/vendor/golang.org/x/net/route/zsys_netbsd.go b/src/vendor/golang.org/x/net/route/zsys_netbsd.go
 index e0df45e8b5..b4f66ca6cb 100644
 --- a/src/vendor/golang.org/x/net/route/zsys_netbsd.go
 +++ b/src/vendor/golang.org/x/net/route/zsys_netbsd.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_netbsd.go
 package route
 diff --git a/src/vendor/golang.org/x/net/route/zsys_openbsd.go b/src/vendor/golang.org/x/net/route/zsys_openbsd.go
 index db8c8efb49..1021b4cea4 100644
 --- a/src/vendor/golang.org/x/net/route/zsys_openbsd.go
 +++ b/src/vendor/golang.org/x/net/route/zsys_openbsd.go
@@ -1,4 +1,4 @@
 -// Created by cgo -godefs - DO NOT EDIT
 +// Code generated by cmd/cgo -godefs; DO NOT EDIT.
 // cgo -godefs defs_openbsd.go
 package route
 diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
 index 20f261bf83..453a312661 100644
 --- a/src/vendor/modules.txt
 +++ b/src/vendor/modules.txt
@@ -7,7 +7,7 @@ golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/chacha20
 golang.org/x/crypto/internal/subtle
 golang.org/x/crypto/poly1305
 -# golang.org/x/net v0.0.0-20190607181551-461777fb6f67
 +# golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
 golang.org/x/net/dns/dnsmessage
 golang.org/x/net/http/httpguts
 golang.org/x/net/http/httpproxy
 -- 
 2.21.0
--- a/disable-tls13-fornow.patch
+++ b/disable-tls13-fornow.patch
@ -0,0 +1,67 @@
 diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
 index ef0b385848..d888d1716f 100644
 --- a/src/crypto/tls/common.go
 +++ b/src/crypto/tls/common.go
@@ -808,7 +808,7 @@ func (c *Config) supportedVersions(isClient bool) []uint16 {
 		if isClient && v < VersionTLS10 {
 			continue
 		}
 -		// TLS 1.3 is opt-out in Go 1.13.
 +		// TLS 1.3 is opt-in in Go 1.12.
 		if v == VersionTLS13 && !isTLS13Supported() {
 			continue
 		}
@@ -823,11 +823,11 @@ var tls13Support struct {
 	cached bool
 }
 -// isTLS13Supported returns whether the program enabled TLS 1.3 by not opting
 -// out with GODEBUG=tls13=0. It's cached after the first execution.
 +// isTLS13Supported returns whether the program opted into TLS 1.3 via
 +// GODEBUG=tls13=1. It's cached after the first execution.
 func isTLS13Supported() bool {
 	tls13Support.Do(func() {
 -		tls13Support.cached = goDebugString("tls13") != "0"
 +		tls13Support.cached = goDebugString("tls13") == "1"
 	})
 	return tls13Support.cached
 }
 diff --git a/src/crypto/tls/tls.go b/src/crypto/tls/tls.go
 index ba6d5eba15..c42f909b93 100644
 --- a/src/crypto/tls/tls.go
 +++ b/src/crypto/tls/tls.go
@@ -5,9 +5,14 @@
 // Package tls partially implements TLS 1.2, as specified in RFC 5246,
 // and TLS 1.3, as specified in RFC 8446.
 //
 -// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable
 +// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable
 // it, set the GODEBUG environment variable (comma-separated key=value
 -// options) such that it includes "tls13=0".
 +// options) such that it includes "tls13=1". To enable it from within
 +// the process, set the environment variable before any use of TLS:
 +//
 +//     func init() {
 +//         os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
 +//     }
 package tls
 // BUG(agl): The crypto/tls package only implements some countermeasures
 diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go
 index b68c074855..5003381c37 100644
 --- a/src/crypto/tls/tls_test.go
 +++ b/src/crypto/tls/tls_test.go
@@ -23,6 +23,13 @@ import (
 	"time"
 )
 +func init() {
 +	// TLS 1.3 is opt-in for Go 1.12, but we want to run most tests with it enabled.
 +	// TestTLS13Switch below tests the disabled behavior. See Issue 30055.
 +	tls13Support.Do(func() {}) // defuse the sync.Once
 +	tls13Support.cached = true
 +}
 +
 var rsaCertPEM = `-----BEGIN CERTIFICATE-----
 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
--- a/golang.spec
+++ b/golang.spec
@ -102,11 +102,11 @@
 %endif
 %global go_api 1.13
-%global go_version 1.13rc1
+%global go_version 1.13rc2
 Name:           golang
 Version:        1.13
-Release:        0.rc1.2%{?dist}
+Release:        0.rc2.1%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -184,7 +184,7 @@ Requires:       go-srpm-macros
 Patch1:       0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch
 Patch2:       0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch
 Patch3:       0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
-Patch4:       0001-release-branch.go1.13-net-http-update-bundled-golang.patch
+Patch4:       disable-tls13-fornow.patch
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@ -550,6 +550,11 @@ fi
 %endif
 %changelog
 * Fri Aug 30 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.rc2.1
 - Rebase to go1.13rc2
 - Do not enable tls1.3 by default
 - Related: BZ#1737471
 * Wed Aug 28 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.rc1.2
 - Actually fix CVE-2019-9514 and CVE-2019-9512
 - Related: BZ#1741816, BZ#1741827
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (go1.13rc1.src.tar.gz) = 05619b580ed910a7ffbee7c1d90f3f6b71c1bc34decea575aa106786c9f4a0c794d20440bde9a6b2a774ca8a27361b1f550d094211c52325a1ef078c5779089b
+SHA512 (go1.13rc2.src.tar.gz) = 3f9b3d93398945b8dd757b574b4647802635ef9bba1cb04229d8e224d04a03a5feca888d3c740f3da9133d55fb3a2c972256c0ae176ca2938ac6ecc47aa44b0b
`@ -1 +1 @@`
	`SHA512 (go1.13rc1.src.tar.gz) = 05619b580ed910a7ffbee7c1d90f3f6b71c1bc34decea575aa106786c9f4a0c794d20440bde9a6b2a774ca8a27361b1f550d094211c52325a1ef078c5779089b`	`SHA512 (go1.13rc2.src.tar.gz) = 3f9b3d93398945b8dd757b574b4647802635ef9bba1cb04229d8e224d04a03a5feca888d3c740f3da9133d55fb3a2c972256c0ae176ca2938ac6ecc47aa44b0b`