| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 const base::Time& start, | 117 const base::Time& start, |
| 118 const base::Time& end, | 118 const base::Time& end, |
| 119 size_t required_scts) { | 119 size_t required_scts) { |
| 120 scoped_refptr<X509Certificate> cert( | 120 scoped_refptr<X509Certificate> cert( |
| 121 new X509Certificate("subject", "issuer", start, end)); | 121 new X509Certificate("subject", "issuer", start, end)); |
| 122 ct::SCTList scts; | 122 ct::SCTList scts; |
| 123 | 123 |
| 124 for (size_t i = 0; i < required_scts - 1; ++i) { | 124 for (size_t i = 0; i < required_scts - 1; ++i) { |
| 125 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 125 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 126 std::vector<std::string>(), false, &scts); | 126 std::vector<std::string>(), false, &scts); |
| 127 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 128 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 129 BoundNetLog())) |
| 130 << " for: " << (end - start).InDays() << " and " << required_scts |
| 131 << " scts=" << scts.size() << " i=" << i; |
| 127 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 132 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 128 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 133 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
| 129 scts, BoundNetLog())) | 134 scts, BoundNetLog())) |
| 130 << " for: " << (end - start).InDays() << " and " << required_scts | 135 << " for: " << (end - start).InDays() << " and " << required_scts |
| 131 << " scts=" << scts.size() << " i=" << i; | 136 << " scts=" << scts.size() << " i=" << i; |
| 132 } | 137 } |
| 133 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 138 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 134 std::vector<std::string>(), false, &scts); | 139 std::vector<std::string>(), false, &scts); |
| 140 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 141 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 142 BoundNetLog())) |
| 143 << " for: " << (end - start).InDays() << " and " << required_scts |
| 144 << " scts=" << scts.size(); |
| 135 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 145 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 136 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 146 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
| 137 scts, BoundNetLog())) | 147 scts, BoundNetLog())) |
| 138 << " for: " << (end - start).InDays() << " and " << required_scts | 148 << " for: " << (end - start).InDays() << " and " << required_scts |
| 139 << " scts=" << scts.size(); | 149 << " scts=" << scts.size(); |
| 140 } | 150 } |
| 141 | 151 |
| 142 protected: | 152 protected: |
| 143 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 153 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
| 144 scoped_refptr<X509Certificate> chain_; | 154 scoped_refptr<X509Certificate> chain_; |
| 145 std::string google_log_id_; | 155 std::string google_log_id_; |
| 146 std::string non_google_log_id_; | 156 std::string non_google_log_id_; |
| 147 }; | 157 }; |
| 148 | 158 |
| 149 TEST_F(CTPolicyEnforcerTest, | 159 TEST_F(CTPolicyEnforcerTest, |
| 150 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 160 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
| 151 ct::SCTList scts; | 161 ct::SCTList scts; |
| 152 FillSCTListWithRepeatedLogID(google_log_id_, 2, true, &scts); | 162 FillSCTListWithRepeatedLogID(google_log_id_, 2, true, &scts); |
| 153 | 163 |
| 164 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 165 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 166 BoundNetLog())); |
| 154 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 167 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 155 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 168 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 156 scts, BoundNetLog())); | 169 scts, BoundNetLog())); |
| 157 } | 170 } |
| 158 | 171 |
| 159 TEST_F(CTPolicyEnforcerTest, | 172 TEST_F(CTPolicyEnforcerTest, |
| 160 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 173 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
| 161 ct::SCTList scts; | 174 ct::SCTList scts; |
| 162 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, true, &scts); | 175 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, true, &scts); |
| 163 | 176 |
| 177 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 178 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 179 BoundNetLog())); |
| 164 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 180 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 165 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 181 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 166 scts, BoundNetLog())); | 182 scts, BoundNetLog())); |
| 167 } | 183 } |
| 168 | 184 |
| 169 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 185 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
| 170 ct::SCTList scts; | 186 ct::SCTList scts; |
| 171 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, false, &scts); | 187 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, false, &scts); |
| 172 | 188 |
| 189 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 190 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 191 BoundNetLog())); |
| 173 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 192 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 174 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 193 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 175 scts, BoundNetLog())); | 194 scts, BoundNetLog())); |
| 176 } | 195 } |
| 177 | 196 |
| 178 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 197 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 179 ct::SCTList scts; | 198 ct::SCTList scts; |
| 180 FillListWithSCTsOfOrigin( | 199 FillListWithSCTsOfOrigin( |
| 181 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); | 200 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); |
| 182 | 201 |
| 202 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 203 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 204 BoundNetLog())); |
| 183 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 205 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 184 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 206 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 185 scts, BoundNetLog())); | 207 scts, BoundNetLog())); |
| 186 } | 208 } |
| 187 | 209 |
| 188 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 210 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 189 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 211 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 190 ct::SCTList scts; | 212 ct::SCTList scts; |
| 191 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 213 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 192 &scts); | 214 &scts); |
| 193 | 215 |
| 216 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 217 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 218 BoundNetLog())); |
| 194 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 219 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 195 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 220 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 196 scts, BoundNetLog())); | 221 scts, BoundNetLog())); |
| 197 } | 222 } |
| 198 | 223 |
| 199 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 224 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 200 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 225 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 201 new DummyEVCertsWhitelist(true, false)); | 226 new DummyEVCertsWhitelist(true, false)); |
| 202 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 227 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 203 // However, as there are only two logs, two SCTs will be required - supply one | 228 // However, as there are only two logs, two SCTs will be required - supply one |
| 204 // to guarantee the test fails. | 229 // to guarantee the test fails. |
| 205 ct::SCTList scts; | 230 ct::SCTList scts; |
| 206 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 231 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 207 &scts); | 232 &scts); |
| 208 | 233 |
| 234 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 235 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 236 BoundNetLog())); |
| 209 EXPECT_EQ( | 237 EXPECT_EQ( |
| 210 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 238 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 211 policy_enforcer_->DoesConformToCTEVPolicy( | 239 policy_enforcer_->DoesConformToCTEVPolicy( |
| 212 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); | 240 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); |
| 213 | 241 |
| 214 // ... but should be OK if whitelisted. | 242 // ... but should be OK if whitelisted. |
| 215 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 243 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 216 new DummyEVCertsWhitelist(true, true)); | 244 new DummyEVCertsWhitelist(true, true)); |
| 217 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 245 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 218 policy_enforcer_->DoesConformToCTEVPolicy( | 246 policy_enforcer_->DoesConformToCTEVPolicy( |
| 219 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 247 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
| 220 } | 248 } |
| 221 | 249 |
| 222 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 250 // TODO(estark): fix this test so that it can check if |
| 251 // |no_valid_dates_cert| is on the whitelist without |
| 252 // crashing. https://crbug.com/582740 |
| 253 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { |
| 223 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 254 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 224 "subject", "issuer", base::Time(), base::Time::Now())); | 255 "subject", "issuer", base::Time(), base::Time::Now())); |
| 225 ct::SCTList scts; | 256 ct::SCTList scts; |
| 226 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 257 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 227 &scts); | 258 &scts); |
| 259 ASSERT_TRUE(no_valid_dates_cert); |
| 260 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 261 policy_enforcer_->DoesConformToCertPolicy(no_valid_dates_cert.get(), |
| 262 scts, BoundNetLog())); |
| 228 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 263 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 229 policy_enforcer_->DoesConformToCTEVPolicy( | 264 policy_enforcer_->DoesConformToCTEVPolicy( |
| 230 no_valid_dates_cert.get(), nullptr, scts, BoundNetLog())); | 265 no_valid_dates_cert.get(), nullptr, scts, BoundNetLog())); |
| 231 // ... but should be OK if whitelisted. | 266 // ... but should be OK if whitelisted. |
| 232 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 267 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 233 new DummyEVCertsWhitelist(true, true)); | 268 new DummyEVCertsWhitelist(true, true)); |
| 234 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 269 EXPECT_EQ( |
| 235 policy_enforcer_->DoesConformToCTEVPolicy( | 270 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 236 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 271 policy_enforcer_->DoesConformToCTEVPolicy( |
| 272 no_valid_dates_cert.get(), whitelist.get(), scts, BoundNetLog())); |
| 237 } | 273 } |
| 238 | 274 |
| 239 TEST_F(CTPolicyEnforcerTest, | 275 TEST_F(CTPolicyEnforcerTest, |
| 240 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 276 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 241 // Test multiple validity periods | 277 // Test multiple validity periods |
| 242 const struct TestData { | 278 const struct TestData { |
| 243 base::Time validity_start; | 279 base::Time validity_start; |
| 244 base::Time validity_end; | 280 base::Time validity_end; |
| 245 size_t scts_required; | 281 size_t scts_required; |
| 246 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 282 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 280 } | 316 } |
| 281 } | 317 } |
| 282 | 318 |
| 283 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 319 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 284 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 320 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 285 new DummyEVCertsWhitelist(true, true)); | 321 new DummyEVCertsWhitelist(true, true)); |
| 286 | 322 |
| 287 ct::SCTList scts; | 323 ct::SCTList scts; |
| 288 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 324 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 289 &scts); | 325 &scts); |
| 326 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 327 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 328 BoundNetLog())); |
| 290 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 329 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 291 policy_enforcer_->DoesConformToCTEVPolicy( | 330 policy_enforcer_->DoesConformToCTEVPolicy( |
| 292 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 331 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
| 293 } | 332 } |
| 294 | 333 |
| 295 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 334 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| 296 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 335 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 297 new DummyEVCertsWhitelist(false, true)); | 336 new DummyEVCertsWhitelist(false, true)); |
| 298 | 337 |
| 299 ct::SCTList scts; | 338 ct::SCTList scts; |
| 300 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 339 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 301 &scts); | 340 &scts); |
| 302 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 341 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 303 policy_enforcer_->DoesConformToCTEVPolicy( | 342 policy_enforcer_->DoesConformToCTEVPolicy( |
| 304 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 343 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
| 305 } | 344 } |
| 306 | 345 |
| 307 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 346 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| 308 ct::SCTList scts; | 347 ct::SCTList scts; |
| 309 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 348 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 310 &scts); | 349 &scts); |
| 311 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 350 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 312 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 351 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 313 scts, BoundNetLog())); | 352 scts, BoundNetLog())); |
| 314 } | 353 } |
| 315 | 354 |
| 316 } // namespace | 355 } // namespace |
| 317 | 356 |
| 318 } // namespace net | 357 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master