Commit Graph

32933 Commits

Author SHA1 Message Date
dependabot[bot]
0e1b7c816d Bump coverallsapp/github-action from 2.1.0 to 2.1.2
Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/coverallsapp/github-action/releases)
- [Commits](https://github.com/coverallsapp/github-action/compare/v2.1.0...v2.1.2)

---
updated-dependencies:
- dependency-name: coverallsapp/github-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20773)
2023-04-21 08:39:13 +10:00
Tomas Mraz
72dfe46550 aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
Original author: Nevine Ebeid (Amazon)
Fixes: CVE-2023-1255

The buffer overread happens on decrypts of 4 mod 5 sizes.
Unless the memory just after the buffer is unmapped this is harmless.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20759)
2023-04-20 17:48:16 +02:00
Pauli
c8093347f7 test: test -pedantic option in fipsinstall
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
2023-04-20 09:21:51 +10:00
Pauli
d30fec6ff4 doc: document the -pedantic option to fipsinstall.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
2023-04-20 09:21:51 +10:00
Pauli
bc2a4225a4 fipsinstall: add -pedantic option
This adds a -pedantic option to fipsinstall that adjusts the various
settings to ensure strict FIPS compliance rather than backwards
compatibility.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
2023-04-20 09:21:51 +10:00
gakamath
1adc45b1de Adding Control Flow guard to Windows Builds
Control flow guard is a code security implementation: https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
We identified it with BlackDuck security scan utility
CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20739)
2023-04-19 15:28:02 +02:00
Richard Levitte
04e0abc8bb Configurations/descrip.mms.tmpl: Fix a few typos
These typos caused failed propagation of the 'cflags' attribute from
Configurations/10-main.conf.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20737)
2023-04-18 15:21:11 +02:00
Ladislav Marko
d79b6104ae Fix broken links in crypto manpage
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20741)
2023-04-18 18:51:55 +10:00
zhangzhilei
524c2cab6a fix test failure on Kunpeng-920
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20751)
2023-04-18 18:49:45 +10:00
Dr. David von Oheimb
8b6bbcaa7b crmf_lib.c: clean up coments on OSSL_CRMF_CERTTEMPLATE*()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20736)
2023-04-18 08:16:01 +02:00
Dr. David von Oheimb
09f30b0c96 OSSL_CRMF_CERTTEMPLATE_get0_publicKey(): fix return type and doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20736)
2023-04-18 08:16:01 +02:00
Dr. David von Oheimb
25b18e629d crypto/cmp: fix CertReqId to use in p10cr transactions acc. to RFC 4210
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20298)
2023-04-18 07:26:11 +02:00
Alois Klink
dcfeb61747 bn_local: remove unused PTR_SIZE_INT definition
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
2023-04-16 19:19:04 +01:00
Alois Klink
f659f7a1c7 bn_nist: remove unused type-punning union u
We no longer need to cast function pointers to PTR_SIZE_INT.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
2023-04-16 17:07:24 +01:00
Alois Klink
326af4ad17 bn_nist: replace pointer bit-fiddling with ternary
Bit-fiddling pointers is technically implementation defined behavior
in the C specification so the following code is not supported in all
platforms:

    PTR_SIZE_INT mask;
    void * a, b, c;
    int boolean_flag;

    mask = 0 - boolean_flag;
    /* Not guaranteed to be a valid ptr to a or b on all platforms  */
    a = (void *)
        ((((PTR_SIZE_INT) b & ~mask) | (((PTR_SIZE_INT)) c & mask)));

Using a ternary conditional operator is supported on all platforms
(i.e. `a = boolean_flag ? b : c;`).

On most modern compilers/CPUs, this will be faster, since it will
get converted to a CMOV instruction.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
2023-04-16 16:45:21 +01:00
Danny Carpenter
8835940db5 adding provider_unload functions for cmp_ tests
CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20731)
2023-04-16 22:23:24 +10:00
GauriSpears
7eab7680ee List also non-fetchable hashes in openssl dgst -list
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20651)
2023-04-14 14:40:41 +02:00
slontis
8b7b9aac44 Fix a HPKE API to put libctx, propq as last (optional parameters).
This keeps the interface consistent with other HPKE API's.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20583)
2023-04-14 13:11:24 +10:00
Tomas Mraz
efbff4de3e Fix the LCM computation in the RSA multiprime key check
Fixes #20693

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20708)
2023-04-13 15:23:05 +02:00
Ladislav Marko
e35a213341 Fix typo in ssl_ciph.c
CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20703)
2023-04-13 10:28:08 +01:00
Aidan Khoury
c0e090bd61 Fix UEFI support on win32
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20714)
2023-04-13 10:25:55 +01:00
Ladislav Marko
51b941ac29 doc: Fix incorrect pairing of functions
CLA: trivial

The functions that should be implemented together are `OSSL_FUNC_signature_verify_recover_init` and `OSSL_FUNC_signature_verify_recover` and not  `OSSL_FUNC_signature_verify_recover_init` with ` OSSL_FUNC_signature_verify_init`

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20704)
2023-04-13 10:13:04 +10:00
Ladislav Marko
b2023d5dfc doc: Fix misleading stucture info
CLA: trivial

The thing created by `OSSL_FUNC_signature_newctx()` and `OSSL_FUNC_signature_dupctx()` is a signature context, not a signature. It's in the name of the function and surrounding documentation.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20705)
2023-04-13 10:11:23 +10:00
Yuan, Shuai
40f4884990 Fixes #19580 ECX keygen
Signed-off-by: Yuan, Shuai <shuai.yuan@intel.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20680)
2023-04-12 17:21:43 +10:00
Matt Caswell
7a4e109ebe Allow partially releasing a record for TLS
This enables the cleansing of plaintext to occur in the record layer and
avoids the need to cast away const above the record layer.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20404)
2023-04-12 11:02:01 +10:00
Matt Caswell
2eb91b0ec3 Make the data field for get_record() const
Improves consistency with the QUIC rstream implementation - and improves
the abstraction between the TLS implementation and the abstract record
layer. We should not expect that the TLS implementation should be able to
change the underlying buffer. Future record layers may not expect that.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20404)
2023-04-12 11:02:01 +10:00
Matt Caswell
7257188b70 Add support for rstream get/release record in the QUIC TLS layer
The QUIC TLS layer was taking an internal copy of rstream data while
reading. The QUIC rstream code has recently been extended to enable a
get/release model which avoids the need for this internal copy, so we use
that instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20404)
2023-04-12 11:02:01 +10:00
Jeeban Sethi
dfb8e18513 Updated return value of PEM_write_TYPE() and PEM_write_bio_TYPE() in man-pages.
Fixes #20218

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20673)
2023-04-11 10:45:44 +02:00
Tomas Mraz
1ac0464d4c CI: Checkout submodules to make the regression fuzz tests run
Otherwise the fuzz/corpora won't be present.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20683)
2023-04-11 10:42:10 +02:00
Tomas Mraz
3565cc2c5b Add openssl/fuzz-corpora repository as submodule
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20683)
2023-04-11 10:41:56 +02:00
Tomas Mraz
0f73501196 Remove fuzz corpora data from the repository
To be replaced with a git submodule.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20683)
2023-04-11 10:41:56 +02:00
dependabot[bot]
37ae8549f0 Bump coverallsapp/github-action from 1.2.4 to 2.1.0
Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 1.2.4 to 2.1.0.
- [Release notes](https://github.com/coverallsapp/github-action/releases)
- [Commits](https://github.com/coverallsapp/github-action/compare/v1.2.4...v2.1.0)

---
updated-dependencies:
- dependency-name: coverallsapp/github-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20699)
2023-04-11 10:11:50 +02:00
Pauli
5303608523 Remove FIPS cross version check of 3.0.0 provider against current
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20552)
2023-04-11 12:17:22 +10:00
Pauli
3254f7b666 Remove old FIPS provider cross version check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20552)
2023-04-11 12:17:22 +10:00
Pauli
3b38f3d869 Add action to cross validate FIPS providers
Tests all released FIPS approved (or in progress) versions against
all development branches and each other.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20552)
2023-04-11 12:17:22 +10:00
Vishwa Pravin
f309b3f608 Ignore SIGPIPE if client closes connection abruptly
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20678)
2023-04-06 13:41:53 +10:00
Bernd Edlinger
f06ef1657a Alternative fix for CVE-2022-4304
This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.

There are in fact at least three bugs together that
caused the timing leak:

First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.

Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.

And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.

In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.

And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.

Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.

In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.

So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
2023-04-04 12:13:27 +02:00
Bernd Edlinger
4209ce68d8 Revert "Fix Timing Oracle in RSA decryption"
This reverts commit b1892d21f8.

Except for the moving derive_kdk to a separate function.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
2023-04-04 12:13:27 +02:00
Anatolii Lishchynskyi
34e4a962bc Erase temporary buffer in EVP_PKEY_get_bn_param()
Function EVP_PKEY_get_bn_param() uses temporary buffer (on stack or
heap allocated) to store serialized bignum, but after deserializing it
into BIGNUM*, the buffer is not erased and may contain sensitive data.

This change makes sure the buffer is erased if it was successfully
filled before. Unfortunately, it does not distinguish between public and
private key components, and will always erase the buffer.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20639)
2023-04-04 12:05:25 +02:00
Matt Caswell
540c2d175d Don't call OPENSSL_init_crypto from inside a RUN_ONCE
Calling OPENSSL_init_crypto from inside a RUN_ONCE seems like a bad idea.
This is especially bad if OPENSSL_init_crypto can recursively end up
attempting to call the RUN_ONCE that we're already inside.

The initialisation in OPENSSL_init_crypto is already "run once" protected.
There is no need to protect it "twice".

Fixes #20653

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20662)

(cherry picked from commit a9745427cd)
2023-04-04 09:36:42 +02:00
Matt Caswell
418c6c5207 Update the documentation for SSL_version et al
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20650)
2023-04-04 09:06:31 +10:00
Matt Caswell
843f6e277f Add a test for SSL_version(), SSL_get_version() etc
We also test SSL_is_dtls(), SSL_is_tls() and SSL_is_quic().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20650)
2023-04-04 09:06:31 +10:00
Matt Caswell
50769b15ea Make sure we can query the SSL object for version info when using QUIC
We have the existing functions SSL_version(), SSL_get_version() and
SSL_is_dtls(). We extend the first two to return something sensible when
using QUIC. We additionally provide the new functions SSL_is_tls() and
SSL_is_quic() to provide a mechanism to figure out what protocol we are
using.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20650)
2023-04-04 09:06:18 +10:00
slontis
a76ccb9d0d FFC cleanups
Discovered during coverage testing.

Remove unneccesary check when using ossl_dh_get0_params() and
ossl_dsa_get0_params(). These point to addresses and can not fail
for any existing calls.

Make dsa keygen tests only available in the FIPS module - as they are
not used in the default provider.

Change ossl_ffc_set_digest() to return void as it cannot fail.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20359)
2023-04-03 10:31:04 +02:00
Tomas Mraz
eb52450f51 Avoid calling into provider with the same iv_len or key_len
Fixes #20625

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20664)
2023-04-03 08:22:28 +10:00
Anthony Roberts
fae5a15573 Fix compilation error when using clang-cl 16 or higher
Fixes a "Incompatible function pointer types" error.

In prior versions, this was a warning, but is now an error.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20654)
2023-04-03 08:19:43 +10:00
slontis
9559ad0e8d Make DSA_sign() test for negative p,q,g values.
Related to #20268

DSA_sign() assumes that the signature passed in is related to DSA_size().
If q is negative then DSA_size() actually fails and returns 0.

A test that tries to allocate the signature buffer using DSA_size() and then
pass it to DSA_sign() will then either.

(1) Have a signature buffer of NULL. In this case it was leaking data
returned via i2d_DSA_SIG.

(2) Cause a seg fault because we created a buffer that was not large
enough to hold the signature. As it already checked zero we also now
check for negative values also.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20553)
2023-03-31 15:17:27 -04:00
afshinpir
6469043bba Incorrect null pointer check
CLA: trivial
There is an incorrect null pointer check and this ccommit resolves it.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20646)
2023-03-31 15:09:18 -04:00
slontis
4befe81a99 Fix mem leak in ECDSA_sign().
Similiar to the issue found in PR #20553 for DSA_sign().
ECDSA_sign() leaked memory if the signature was NULL
when i2d_ECDSA_SIG was called.

Note that this does not affect the higher level EVP
functions as they correctly handle NULL.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20554)
2023-03-31 14:57:47 -04:00
Samuel Lee (ENS/CRYPTO)
027226eb22 doc: Fix typo in EVP_EncryptInit.pod
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20645)
2023-03-31 14:29:12 -04:00