Elgato_dark/wolfssl
1
0
Fork 0
mirror of https://github.com/wolfSSL/wolfssl synced 2026-05-24 10:18:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
wolfssl/scripts/ocsp-stapling.test
Juliusz Sosinowicz d2f45f614f Make test scripts work in sandboxed/restricted environments 
multi-msg-record.py: auto-detect the CA cert format the wolfSSL client
build accepts (PEM or DER) from the default shown in client -? help.
OPENSSL_EXTRA-style builds need PEM; NO_CODING builds need DER.

ocsp-stapling.test: skip the external login.live.com connection unless
WOLFSSL_EXTERNAL_TEST is explicitly enabled (matches external.test /
google.test convention). Local OCSP tests still run.

ocsp-responder-openssl-interop.test: use ${TMPDIR:-/tmp} for mktemp
templates so the test works when /tmp is not writable.
2026-05-14 13:10:13 +02:00

605 lines
21 KiB
Bash
Executable file
Raw Permalink Blame History

#!/usr/bin/env bash
# ocsp-stapling.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
# Note, this script makes connection(s) to the public Internet.
SCRIPT_DIR="$(dirname "$0")"
if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
if test "$WOLFSSL_EXTERNAL_TEST" == "0"; then
echo 'skipping oscp-stapling.test because WOLFSSL_EXTERNAL_TEST is \
defined to the value 0.'
exit 77
fi
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
&& exit 1
if ./examples/client/client -? 2>&1 | grep "Client not compiled in!" ; then
echo 'skipping ocsp-stapling.test because client not compiled in.' 1>&2
exit 77
fi
if ./examples/server/server -? 2>&1 | grep "Server not compiled in!" ; then
echo 'skipping ocsp-stapling.test because server not compiled in.' 1>&2
exit 77
fi
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
exit 77
fi
if ./examples/client/client '-#' | grep -F -q -e ' -DWOLFSSL_SNIFFER '; then
echo 'skipping oscp-stapling.test because WOLFSSL_SNIFFER defined.'
exit 77
fi
if ./examples/client/client -V | grep -q 4; then
tls13=yes
fi
if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
dtls13=yes
fi
if ./examples/client/client '-?' 2>&1 | grep -q -- 'Perform multi OCSP stapling for TLS13'; then
tls13multi=yes
else
tls13multi=no
fi
if openssl s_server -help 2>&1 | grep -F -q -i ipv6 && nc -h 2>&1 | grep -F -q -i ipv6; then
IPV6_SUPPORTED=yes
else
IPV6_SUPPORTED=no
fi
if ./examples/client/client '-#' | grep -F -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 77
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='::1'
V4V6=6
V4V6_FLAG=-6
else
LOCALHOST='127.0.0.1'
LOCALHOST_FOR_NC='127.0.0.1'
if [[ "$IPV6_SUPPORTED" == "yes" ]]; then
V4V6_FLAG=-4
else
V4V6_FLAG=
fi
V4V6=4
fi
PARENTDIR="$PWD"
# create a unique workspace directory ending in PID for the script instance ($$)
# to make this instance orthogonal to any others running, even on same repo.
# TCP ports are also carefully formed below from the PID, to minimize conflicts.
WORKSPACE="${PARENTDIR}/workspace.pid$$"
mkdir "${WORKSPACE}" || exit $?
cp -pR "${SCRIPT_DIR}"/../certs "${WORKSPACE}"/ || exit $?
cd "$WORKSPACE" || exit $?
ln -s ../examples .
CERT_DIR="./certs/ocsp"
ready_file="$WORKSPACE"/wolf_ocsp_s1_readyF$$
ready_file2="$WORKSPACE"/wolf_ocsp_s1_readyF2$$
printf '%s\n' "ready file: \"$ready_file\""
test_cnf="ocsp_s1.cnf"
wait_for_readyFile(){
counter=0
while [ ! -s "$1" ] && [ "$counter" -lt 20 ]; do
if [[ -n "${2-}" ]]; then
if ! kill -0 "$2" 2>&-; then
echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
exit 1
fi
fi
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$1"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file at \"$1\" -- ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e "$1"; then
printf '%s\n' "removing ready file: \"$1\""
rm "$1"
fi
}
retry_with_backoff() {
local max_attempts=$1
shift
local attempt=1
local delay=1
local status=0
while :; do
"$@"
status=$?
if [ $status -eq 0 ]; then
return 0
fi
if [ "$attempt" -ge "$max_attempts" ]; then
return $status
fi
printf '%s\n' "Retry $attempt/$max_attempts failed, backing off ${delay}s..."
sleep $delay
attempt=$((attempt + 1))
delay=$((delay * 2))
done
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
printf '%s\n' "Random Port Selected: $1"
{
printf '%s\n' "#"
printf '%s\n' "# openssl configuration file for OCSP certificates"
printf '%s\n' "#"
printf '%s\n' ""
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)"
printf '%s\n' "[ v3_req1 ]"
printf '%s\n' "basicConstraints = CA:false"
printf '%s\n' "subjectKeyIdentifier = hash"
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always"
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment"
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1"
printf '%s\n' ""
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)"
printf '%s\n' "[ v3_req2 ]"
printf '%s\n' "basicConstraints = CA:false"
printf '%s\n' "subjectKeyIdentifier = hash"
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always"
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment"
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222"
printf '%s\n' ""
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)"
printf '%s\n' "[ v3_req3 ]"
printf '%s\n' "basicConstraints = CA:false"
printf '%s\n' "subjectKeyIdentifier = hash"
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always"
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment"
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223"
printf '%s\n' ""
printf '%s\n' "# Extensions for a typical CA"
printf '%s\n' "[ v3_ca ]"
printf '%s\n' "basicConstraints = CA:true"
printf '%s\n' "subjectKeyIdentifier = hash"
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always"
printf '%s\n' "keyUsage = keyCertSign, cRLSign"
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220"
printf '%s\n' ""
printf '%s\n' "# OCSP extensions."
printf '%s\n' "[ v3_ocsp ]"
printf '%s\n' "basicConstraints = CA:false"
printf '%s\n' "subjectKeyIdentifier = hash"
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always"
printf '%s\n' "extendedKeyUsage = OCSPSigning"
} > "$test_cnf"
mv "$test_cnf" "$CERT_DIR/$test_cnf"
cd "$CERT_DIR" || exit
CURR_LOC="$PWD"
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh "$test_cnf"
cd "$WORKSPACE" || exit
}
remove_ready_file() {
if test -e "$ready_file"; then
printf '%s\n' "removing ready file"
rm "$ready_file"
fi
if test -e "$ready_file2"; then
printf '%s\n' "removing ready file: \"$ready_file2\""
rm "$ready_file2"
fi
}
cleanup()
{
exit_status=$?
for i in $(jobs -pr)
do
kill -s KILL "$i"
done
remove_ready_file
rm "$CERT_DIR/$test_cnf"
cd "$PARENTDIR" || return 1
rm -r "$WORKSPACE" || return 1
if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
echo "retrying..."
RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
exec $0 "$@"
fi
}
trap cleanup EXIT INT TERM HUP
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
if ./examples/client/client '-?' 2>&1 | grep -q -- 'Client not compiled in!'; then
exit 0
fi
# check if supported key size is large enough to handle 4096 bit RSA
size="$(./examples/client/client '-?' | grep "Max RSA key")"
size="${size//[^0-9]/}"
if [ -n "$size" ]; then
printf 'check on max key size of %d ...' "$size"
if [ "$size" -lt 4096 ]; then
printf '%s\n' "4096 bit RSA keys not supported"
exit 0
fi
printf 'OK\n'
fi
# choose consecutive ports based on the PID, skipping any that are
# already bound, to avoid the birthday problem in case other
# instances are sharing this host.
get_first_free_port() {
local ret="$1"
while :; do
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then
break
fi
ret=$((ret+1))
done
echo "$ret"
return 0
}
base_port=$((((($$ + RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
port1=$(get_first_free_port $base_port)
port2=$(get_first_free_port $((port1 + 1)))
port3=$(get_first_free_port $((port2 + 1)))
# test interop fail case
ready_file=$PWD/wolf_ocsp_readyF$$
printf '%s\n' "ready file: \"$ready_file\""
./examples/server/server -b -p "$port1" -o -R "$ready_file" &
wolf_pid=$!
wait_for_readyFile "$ready_file" "$wolf_pid" "$port1"
if [ ! -f "$ready_file" ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
# should fail if ocspstapling is also enabled
OPENSSL_OUTPUT=$(echo "hi" | openssl s_client -status $V4V6_FLAG -legacy_renegotiation -connect "${LOCALHOST}:$port1" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1)
OPENSSL_RESULT=$?
echo "$OPENSSL_OUTPUT"
grep -F -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
FGREP1_RESULT=$?
grep -F -q 'self-signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
FGREP2_RESULT=$?
if [ "$OPENSSL_RESULT" -eq 0 ] && [ "$FGREP1_RESULT" -ne 0 ] && [ "$FGREP2_RESULT" -ne 0 ]; then
printf '%s\n' "Expected verification error from s_client is missing."
remove_single_rF "$ready_file"
exit 1
fi
remove_single_rF "$ready_file"
if ! wait "$wolf_pid"; then
printf '%s\n' "wolfSSL server unexpected fail"
exit 1
fi
fi
# create a port to use with openssl ocsp responder
./examples/server/server -b -p "$port2" -R "$ready_file" &
wolf_pid2=$!
wait_for_readyFile "$ready_file" "$wolf_pid2" "$port2"
if [ ! -f "$ready_file" ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
printf '%s\n' "Random port selected: $port2"
# Use client connection to shutdown the server cleanly
./examples/client/client -p "$port2"
create_new_cnf "$port2"
fi
sleep 0.1
# is our desired server there? - login.live.com doesn't answers PING
#./scripts/ping.test $server 2
# client test against the server
server=login.live.com
#ca=certs/external/DigiCertGlobalRootCA.pem
ca=./certs/external/ca_collection.pem
if [[ -z "${WOLFSSL_EXTERNAL_TEST-}" || "$WOLFSSL_EXTERNAL_TEST" == "0" ]]; then
echo "Skipping OCSP test on $server (set WOLFSSL_EXTERNAL_TEST=1 to run)"
elif [[ "$V4V6" == "4" ]]; then
retry_with_backoff 3 ./examples/client/client -C -h "$server" -p 443 -A "$ca" -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
else
echo "Skipping OCSP test on $server (IPv6 test client)"
fi
# Test with example server
if ./examples/server/server '-?' 2>&1 | grep -q -- 'Server not compiled in!'; then
exit 0
fi
# setup ocsp responder
# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port "$port2" -nmin 1 \
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
"$@" &
sleep 0.1
# "jobs" is not portable for posix. Must use bash interpreter!
[ "$(jobs -r | wc -l)" -ne 1 ] && \
printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -p "$port3" &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p "$port3"
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
-k certs/ocsp/server2-key.pem -p "$port3" &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3"
sleep 0.1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p "$port3"
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
if [[ ("$tls13" == "yes") && ("$tls13multi" == "no") ]]; then
printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
# client test against our own server - GOOD CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -v 4 \
-p "$port3" &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p "$port3"
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD PASS --------------------"
# client test against our own server, must staple - GOOD CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -v 4 \
-p "$port3" &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \
-p "$port3"
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ------------------"
# client test against our own server - REVOKED CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
-k certs/ocsp/server2-key.pem -v 4 \
-p "$port3" &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p "$port3"
RESULT=$?
[ $RESULT -ne 1 ] && \
printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
else
echo 'skipping TLS1.3 stapling tests.' 1>&2
fi
# DTLS 1.2 and 1.3 cases
if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.2'; then
printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------"
# client test against our own server, must staple - GOOD CERT
echo "$ready_file2"
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -u -v 3 \
-p "$port3" &
wolf_pid3=$!
sleep 0.2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 3 \
-W 1 -p "$port3"
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
fi
if [[ ("$dtls13" == "yes") && ("$tls13multi" == "no") ]]; then
printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD PASS -------------------"
# client test against our own server, must staple - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -u -v 4 \
-p "$port3" &
wolf_pid3=$!
sleep 0.2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 4 \
-W 1 -p "$port3"
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
fi
# need a unique port since may run the same time as testsuite
# Track ports already assigned in this script run to prevent intra-run collisions
used_ports=()
generate_port() {
#-------------------------------------------------------------------------#
# Generate a random port number, guaranteed unique within this script run.
# Checks both the intra-run used_ports list and system-level bound ports.
#-------------------------------------------------------------------------#
local attempts=0 collision p
while true; do
if [[ "$OSTYPE" == "linux"* || "$OSTYPE" == "msys"
|| "$OSTYPE" == "cygwin"* ]]; then
p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
elif [[ "$OSTYPE" == "darwin"* ]]; then
p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
else
echo "Unknown OS TYPE"
exit 1
fi
# Check against ports already assigned in this run
collision=0
for up in "${used_ports[@]}"; do
if [ "$up" = "$p" ]; then
collision=1
break
fi
done
# Also check if the port is already bound on this system
if [ $collision -eq 0 ]; then
if command -v ss &>/dev/null; then
ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
elif command -v netstat &>/dev/null; then
netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
fi
fi
[ "$collision" -eq 0 ] && break
((attempts++))
if [ "$attempts" -ge 100 ]; then
echo "ERROR: generate_port could not find a free port after 100 attempts"
exit 1
fi
done
port=$p
used_ports+=("$p")
}
# Start OpenSSL server that has no OCSP responses to return
generate_port
openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port "$port" &
MAX_TIMEOUT=10
until nc -z localhost "$port" # Wait for openssl to be ready
do
sleep 0.05
if [ "$MAX_TIMEOUT" == "0" ]; then
break
fi
((MAX_TIMEOUT--))
done
printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p "$port" -g -v 3 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p "$port" -g -v 3 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
openssl ciphers -tls1_3
openssl_tls13=$?
./examples/client/client -V | grep -q 4
wolfssl_tls13=$?
if [ "$openssl_tls13" = "0" ] && [ "$wolfssl_tls13" = "0" ]; then
printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p "$port" -g -v 4 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p "$port" -g -v 4 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] \
&& printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
else
echo -n 'skipping TLS1.3 stapling interoperability test:' 1>&2
if [ "$openssl_tls13" != "0" ]; then
echo -n ' OpenSSL' 1>&2
fi
if [ "$wolfssl_tls13" != "0" ]; then
if [ "$openssl_tls13" != "0" ]; then
echo -n ' and' 1>&2
fi
echo -n ' wolfSSL' 1>&2
fi
echo -n ' missing TLS1.3 support.' 1>&2
fi
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0
Reference in a new issue View git blame Copy permalink