# include <openssl/rsa.h>
#endif
#include <openssl/bn.h>
-#ifndef OPENSSL_NO_JPAKE
-# include <openssl/jpake.h>
-#endif
#include <openssl/ssl.h>
#include "apps.h"
for (p = buf;;) {
/* Skip whitespace. */
- while (*p && isspace(*p))
+ while (*p && isspace(_UC(*p)))
p++;
if (!*p)
break;
p++;
*p++ = '\0';
} else {
- while (*p && !isspace(*p))
+ while (*p && !isspace(_UC(*p)))
p++;
if (*p)
*p++ = '\0';
return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
}
+#ifndef OPENSSL_NO_CT
+
+int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
+{
+ if (path == NULL) {
+ return SSL_CTX_set_default_ctlog_list_file(ctx);
+ }
+
+ return SSL_CTX_set_ctlog_list_file(ctx, path);
+}
+
+#endif
+
int dump_cert_text(BIO *out, X509 *x)
{
char *p;
return ret;
}
-int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
+#ifndef OPENSSL_NO_OCSP
+static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
{
char *host = NULL, *port = NULL, *path = NULL;
BIO *bio = NULL;
}
return rv;
}
+#endif
-X509 *load_cert(const char *file, int format,
- const char *pass, ENGINE *e, const char *cert_descrip)
+X509 *load_cert(const char *file, int format, const char *cert_descrip)
{
X509 *x = NULL;
BIO *cert;
if (format == FORMAT_HTTP) {
+#ifndef OPENSSL_NO_OCSP
load_cert_crl_http(file, &x, NULL);
+#endif
return x;
}
BIO *in = NULL;
if (format == FORMAT_HTTP) {
+#ifndef OPENSSL_NO_OCSP
load_cert_crl_http(infile, NULL, &x);
+#endif
return x;
}
BIO_printf(bio_err, "no keyfile specified\n");
goto end;
}
-#ifndef OPENSSL_NO_ENGINE
if (format == FORMAT_ENGINE) {
- if (!e)
+ if (e == NULL)
BIO_printf(bio_err, "no engine specified\n");
else {
+#ifndef OPENSSL_NO_ENGINE
pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
- if (!pkey) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
ERR_print_errors(bio_err);
}
+#else
+ BIO_printf(bio_err, "engines not supported\n");
+#endif
}
goto end;
}
-#endif
if (file == NULL && maybe_stdin) {
unbuffer(stdin);
key = dup_bio_in(format);
BIO_printf(bio_err, "no keyfile specified\n");
goto end;
}
-#ifndef OPENSSL_NO_ENGINE
if (format == FORMAT_ENGINE) {
- if (!e)
+ if (e == NULL)
BIO_printf(bio_err, "no engine specified\n");
- else
+ else {
+#ifndef OPENSSL_NO_ENGINE
pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
+ if (pkey == NULL) {
+ BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
+ ERR_print_errors(bio_err);
+ }
+#else
+ BIO_printf(bio_err, "engines not supported\n");
+#endif
+ }
goto end;
}
-#endif
if (file == NULL && maybe_stdin) {
unbuffer(stdin);
key = dup_bio_in(format);
if (format == FORMAT_ASN1) {
pkey = d2i_PUBKEY_bio(key, NULL);
}
-#ifndef OPENSSL_NO_RSA
else if (format == FORMAT_ASN1RSA) {
+#ifndef OPENSSL_NO_RSA
RSA *rsa;
rsa = d2i_RSAPublicKey_bio(key, NULL);
if (rsa) {
EVP_PKEY_set1_RSA(pkey, rsa);
RSA_free(rsa);
} else
+#else
+ BIO_printf(bio_err, "RSA keys not supported\n");
+#endif
pkey = NULL;
} else if (format == FORMAT_PEMRSA) {
+#ifndef OPENSSL_NO_RSA
RSA *rsa;
rsa = PEM_read_bio_RSAPublicKey(key, NULL,
(pem_password_cb *)password_callback,
EVP_PKEY_set1_RSA(pkey, rsa);
RSA_free(rsa);
} else
+#else
+ BIO_printf(bio_err, "RSA keys not supported\n");
+#endif
pkey = NULL;
}
-#endif
else if (format == FORMAT_PEM) {
pkey = PEM_read_bio_PUBKEY(key, NULL,
(pem_password_cb *)password_callback,
}
static int load_certs_crls(const char *file, int format,
- const char *pass, ENGINE *e, const char *desc,
+ const char *pass, const char *desc,
STACK_OF(X509) **pcerts,
STACK_OF(X509_CRL) **pcrls)
{
BIO_free(bio);
- if (pcerts) {
+ if (pcerts && *pcerts == NULL) {
*pcerts = sk_X509_new_null();
if (!*pcerts)
goto end;
}
- if (pcrls) {
+ if (pcrls && *pcrls == NULL) {
*pcrls = sk_X509_CRL_new_null();
if (!*pcrls)
goto end;
return vp;
}
-
-
-STACK_OF(X509) *load_certs(const char *file, int format,
- const char *pass, ENGINE *e, const char *desc)
+/*
+ * Initialize or extend, if *certs != NULL, a certificate stack.
+ */
+int load_certs(const char *file, STACK_OF(X509) **certs, int format,
+ const char *pass, const char *desc)
{
- STACK_OF(X509) *certs;
- if (!load_certs_crls(file, format, pass, e, desc, &certs, NULL))
- return NULL;
- return certs;
+ return load_certs_crls(file, format, pass, desc, certs, NULL);
}
-STACK_OF(X509_CRL) *load_crls(const char *file, int format,
- const char *pass, ENGINE *e, const char *desc)
+/*
+ * Initialize or extend, if *crls != NULL, a certificate stack.
+ */
+int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
+ const char *pass, const char *desc)
{
- STACK_OF(X509_CRL) *crls;
- if (!load_certs_crls(file, format, pass, e, desc, NULL, &crls))
- return NULL;
- return crls;
+ return load_certs_crls(file, format, pass, desc, NULL, crls);
}
#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
#ifndef OPENSSL_NO_ENGINE
/* Try to load an engine in a shareable library */
-static ENGINE *try_load_engine(const char *engine, int debug)
+static ENGINE *try_load_engine(const char *engine)
{
ENGINE *e = ENGINE_by_id("dynamic");
if (e) {
return NULL;
}
if ((e = ENGINE_by_id(engine)) == NULL
- && (e = try_load_engine(engine, debug)) == NULL) {
+ && (e = try_load_engine(engine)) == NULL) {
BIO_printf(bio_err, "invalid engine \"%s\"\n", engine);
ERR_print_errors(bio_err);
return NULL;
j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
#endif
}
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
-#endif
out = BIO_new_file(buf[0], "w");
if (out == NULL) {
ERR_print_errors(bio_err);
}
#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
-#else
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
#else
+ j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
-#endif
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
- serialfile, buf[1]);
#endif
if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
#ifdef ENOTDIR
perror("reason");
goto err;
}
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
- buf[0], serialfile);
-#endif
if (rename(buf[0], serialfile) < 0) {
BIO_printf(bio_err,
"unable to rename %s to %s\n", buf[0], serialfile);
if (dbattr_conf) {
char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
if (p) {
-#ifdef RL_DEBUG
- BIO_printf(bio_err,
- "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
-#endif
retdb->attributes.unique_subject = parse_yesno(p, 1);
}
}
}
#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
-#else
- j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
-#else
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
#else
+ j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+ j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
-#endif
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
#endif
out = BIO_new_file(buf[0], "w");
if (out == NULL) {
goto err;
out = BIO_new_file(buf[1], "w");
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
-#endif
if (out == NULL) {
perror(buf[2]);
BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
}
#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
-#else
- j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
+ j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
-#else
- j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
-#else
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
+ j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
#else
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
-#else
+ j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
-#endif
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]);
+ j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
+ j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
+ j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
#endif
if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
#ifdef ENOTDIR
perror("reason");
goto err;
}
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0], dbfile);
-#endif
if (rename(buf[0], dbfile) < 0) {
BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
perror("reason");
rename(buf[1], dbfile);
goto err;
}
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[4], buf[3]);
-#endif
if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
#ifdef ENOTDIR
&& errno != ENOTDIR
rename(buf[1], dbfile);
goto err;
}
-#ifdef RL_DEBUG
- BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2], buf[4]);
-#endif
if (rename(buf[2], buf[4]) < 0) {
BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
perror("reason");
else
len = 1024;
len = BIO_read(in, tbuf, len);
- if (len <= 0)
+ if (len < 0) {
+ BIO_free(mem);
+ return -1;
+ }
+ if (len == 0)
break;
if (BIO_write(mem, tbuf, len) != len) {
BIO_free(mem);
return ret;
}
-int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
{
int rv;
char *stmp, *vtmp = NULL;
nodes_print("User", X509_policy_tree_get0_user_policies(tree));
}
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-
-static JPAKE_CTX *jpake_init(const char *us, const char *them,
- const char *secret)
-{
- BIGNUM *p = NULL;
- BIGNUM *g = NULL;
- BIGNUM *q = NULL;
- BIGNUM *bnsecret = BN_new();
- JPAKE_CTX *ctx;
-
- /* Use a safe prime for p (that we found earlier) */
- BN_hex2bn(&p,
- "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
- g = BN_new();
- BN_set_word(g, 2);
- q = BN_new();
- BN_rshift1(q, p);
-
- BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
-
- ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
- BN_free(bnsecret);
- BN_free(q);
- BN_free(g);
- BN_free(p);
-
- return ctx;
-}
-
-static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
-{
- BN_print(conn, p->gx);
- BIO_puts(conn, "\n");
- BN_print(conn, p->zkpx.gr);
- BIO_puts(conn, "\n");
- BN_print(conn, p->zkpx.b);
- BIO_puts(conn, "\n");
-}
-
-static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
-{
- JPAKE_STEP1 s1;
-
- JPAKE_STEP1_init(&s1);
- JPAKE_STEP1_generate(&s1, ctx);
- jpake_send_part(bconn, &s1.p1);
- jpake_send_part(bconn, &s1.p2);
- (void)BIO_flush(bconn);
- JPAKE_STEP1_release(&s1);
-}
-
-static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
-{
- JPAKE_STEP2 s2;
-
- JPAKE_STEP2_init(&s2);
- JPAKE_STEP2_generate(&s2, ctx);
- jpake_send_part(bconn, &s2);
- (void)BIO_flush(bconn);
- JPAKE_STEP2_release(&s2);
-}
-
-static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
-{
- JPAKE_STEP3A s3a;
-
- JPAKE_STEP3A_init(&s3a);
- JPAKE_STEP3A_generate(&s3a, ctx);
- BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
- (void)BIO_flush(bconn);
- JPAKE_STEP3A_release(&s3a);
-}
-
-static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
-{
- JPAKE_STEP3B s3b;
-
- JPAKE_STEP3B_init(&s3b);
- JPAKE_STEP3B_generate(&s3b, ctx);
- BIO_write(bconn, s3b.hk, sizeof s3b.hk);
- (void)BIO_flush(bconn);
- JPAKE_STEP3B_release(&s3b);
-}
-
-static void readbn(BIGNUM **bn, BIO *bconn)
-{
- char buf[10240];
- int l;
-
- l = BIO_gets(bconn, buf, sizeof buf);
- assert(l > 0);
- assert(buf[l - 1] == '\n');
- buf[l - 1] = '\0';
- BN_hex2bn(bn, buf);
-}
-
-static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
-{
- readbn(&p->gx, bconn);
- readbn(&p->zkpx.gr, bconn);
- readbn(&p->zkpx.b, bconn);
-}
-
-static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
-{
- JPAKE_STEP1 s1;
-
- JPAKE_STEP1_init(&s1);
- jpake_receive_part(&s1.p1, bconn);
- jpake_receive_part(&s1.p2, bconn);
- if (!JPAKE_STEP1_process(ctx, &s1)) {
- ERR_print_errors(bio_err);
- exit(1);
- }
- JPAKE_STEP1_release(&s1);
-}
-
-static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
-{
- JPAKE_STEP2 s2;
-
- JPAKE_STEP2_init(&s2);
- jpake_receive_part(&s2, bconn);
- if (!JPAKE_STEP2_process(ctx, &s2)) {
- ERR_print_errors(bio_err);
- exit(1);
- }
- JPAKE_STEP2_release(&s2);
-}
-
-static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
-{
- JPAKE_STEP3A s3a;
- int l;
-
- JPAKE_STEP3A_init(&s3a);
- l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
- assert(l == sizeof s3a.hhk);
- if (!JPAKE_STEP3A_process(ctx, &s3a)) {
- ERR_print_errors(bio_err);
- exit(1);
- }
- JPAKE_STEP3A_release(&s3a);
-}
-
-static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
-{
- JPAKE_STEP3B s3b;
- int l;
-
- JPAKE_STEP3B_init(&s3b);
- l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
- assert(l == sizeof s3b.hk);
- if (!JPAKE_STEP3B_process(ctx, &s3b)) {
- ERR_print_errors(bio_err);
- exit(1);
- }
- JPAKE_STEP3B_release(&s3b);
-}
-
-void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
-{
- JPAKE_CTX *ctx;
- BIO *bconn;
-
- BIO_puts(out, "Authenticating with JPAKE\n");
-
- ctx = jpake_init("client", "server", secret);
-
- bconn = BIO_new(BIO_f_buffer());
- BIO_push(bconn, conn);
-
- jpake_send_step1(bconn, ctx);
- jpake_receive_step1(ctx, bconn);
- jpake_send_step2(bconn, ctx);
- jpake_receive_step2(ctx, bconn);
- jpake_send_step3a(bconn, ctx);
- jpake_receive_step3b(ctx, bconn);
-
- BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
-
- OPENSSL_free(psk_key);
- psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
-
- BIO_pop(bconn);
- BIO_free(bconn);
-
- JPAKE_CTX_free(ctx);
-}
-
-void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
-{
- JPAKE_CTX *ctx;
- BIO *bconn;
-
- BIO_puts(out, "Authenticating with JPAKE\n");
-
- ctx = jpake_init("server", "client", secret);
-
- bconn = BIO_new(BIO_f_buffer());
- BIO_push(bconn, conn);
-
- jpake_receive_step1(ctx, bconn);
- jpake_send_step1(bconn, ctx);
- jpake_receive_step2(ctx, bconn);
- jpake_send_step2(bconn, ctx);
- jpake_receive_step3a(ctx, bconn);
- jpake_send_step3b(bconn, ctx);
-
- BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
-
- OPENSSL_free(psk_key);
- psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
-
- BIO_pop(bconn);
- BIO_free(bconn);
-
- JPAKE_CTX_free(ctx);
-}
-
-#endif
-
/*-
* next_protos_parse parses a comma separated list of strings into a string
* in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
*
* returns: a malloced buffer or NULL on failure.
*/
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+unsigned char *next_protos_parse(size_t *outlen, const char *in)
{
size_t len;
unsigned char *out;
#endif
}
- fd = open(filename, mode, 0600);
+#ifdef OPENSSL_SYS_VMS
+ /* VMS doesn't have O_BINARY, it just doesn't make sense. But,
+ * it still needs to know that we're going binary, or fdopen()
+ * will fail with "invalid argument"... so we tell VMS what the
+ * context is.
+ */
+ if (!textmode)
+ fd = open(filename, mode, 0600, "ctx=bin");
+ else
+#endif
+ fd = open(filename, mode, 0600);
if (fd < 0)
goto err;
fp = fdopen(fd, modestr('w', format));
void wait_for_async(SSL *s)
{
- int width, fd;
+ int width = 0;
fd_set asyncfds;
+ OSSL_ASYNC_FD *fds;
+ size_t numfds;
- fd = SSL_get_async_wait_fd(s);
- if (fd < 0)
+ if (!SSL_get_all_async_fds(s, NULL, &numfds))
return;
+ if (numfds == 0)
+ return;
+ fds = OPENSSL_malloc(sizeof(OSSL_ASYNC_FD) * numfds);
+ if (!SSL_get_all_async_fds(s, fds, &numfds)) {
+ OPENSSL_free(fds);
+ }
- width = fd + 1;
FD_ZERO(&asyncfds);
- openssl_fdset(fd, &asyncfds);
+ while (numfds > 0) {
+ if (width <= (int)*fds)
+ width = (int)*fds + 1;
+ openssl_fdset((int)*fds, &asyncfds);
+ numfds--;
+ fds++;
+ }
select(width, (void *)&asyncfds, NULL, NULL, NULL);
}
projects / openssl.git / blobdiff