From patchwork Tue Jul 20 16:04:58 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1507669
Return-Path: 
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=XYFQ3Z+3;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GTl363Dw0z9sWX
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:10 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GTl3620s7z3bSn
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:10 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=XYFQ3Z+3;
	dkim-atps=neutral
X-Original-To: skiboot-stable@lists.ozlabs.org
Delivered-To: skiboot-stable@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::f30;
 helo=mail-qv1-xf30.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=XYFQ3Z+3; dkim-atps=neutral
Received: from mail-qv1-xf30.google.com (mail-qv1-xf30.google.com
 [IPv6:2607:f8b0:4864:20::f30])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GTk7w4Xrmz2yPC
 for <skiboot-stable@lists.ozlabs.org>; Wed, 21 Jul 2021 02:05:15 +1000 (AEST)
Received: by mail-qv1-xf30.google.com with SMTP id c15so10338141qvw.6
 for <skiboot-stable@lists.ozlabs.org>; Tue, 20 Jul 2021 09:05:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=nM/pd6in2dhWRQzLtht9gbztJaK7mCbHP3Hzsdy3gIY=;
 b=XYFQ3Z+3EhxQnYsFaYc6TAM2nYV2zWwhT2rkkcrmJzXHr3R5/Yevk6YD0eqjYul8y5
 F05xE2TVrrCPTyojuUqibYzLu6EHp5ZVsZ1YHabvkPqoFCZW8oLkxl+oQNR6hOc2JA1/
 Qfr0osB43K0mdaAfuznNC46H1/YwD0vTDKAaUM1XZ1eO0sJ+UrVhpvmc+NDpZu2SURT8
 PuEkGrTnKmiIO+224p0W/oGcnRvcQUtbYMi54fFfF4eiKfqlI24VauQnCAOkLgzWDGhr
 d0QlVEypyaGhIFq0AF7t8AC7qujUaHpLaeQA+vv9vyvxal91jfhZxzRvK9pszyEhOO8E
 HqVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=nM/pd6in2dhWRQzLtht9gbztJaK7mCbHP3Hzsdy3gIY=;
 b=Fld2OWIoh10Dwe4lAColFRCST5jfWCFeAYo7uOjctPvt/TcYvW7l+go/rYmxyDW9Pw
 eZbntzTpGwqL0ShFwf3fNuyyVRnprhEN2YyUFXZJHZSKuIHEFr5Zlq7EhSHTMMpJytae
 cRyFVGQbcp6MXIWvsmqZVGQsq9VIycF5sG4B0PLJSNVJkhCdiPL8T5vrTu+ZfH8JKyTd
 KZViwkDTr3s2VxeSLB0qLpTsegxpNTWRbmhwhcHmY6hzGiRSqbQIch0Qlr2uLtg3Dbtt
 eHfDTmtb374xq9fAXoaG+bYIXzfqwQmcjTfAX4L+YcbFZXRuy5WvJ3n0g0gPQaJncFmW
 /v7A==
X-Gm-Message-State: AOAM532k9zkdfE2KdlTad7kdY+nQZMZ0NIs1MnmicSatJ8+s6r+jD7L0
 tGKTAivxFPt4ebRf2e8qqwEWAQ0bFtw=
X-Google-Smtp-Source: 
 ABdhPJwd3L85kgwPtGraUygdPpM59+FL3zNyjWgikzP4U98EhVtLsH3Lkcp09K3YWwbOTmGNMURf1w==
X-Received: by 2002:ad4:56e8:: with SMTP id cr8mr30944916qvb.53.1626797111418;
 Tue, 20 Jul 2021 09:05:11 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:4391:e426:6e2:788b])
 by smtp.gmail.com with ESMTPSA id 67sm7964727qtf.83.2021.07.20.09.05.10
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 20 Jul 2021 09:05:10 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot-stable@lists.ozlabs.org
Date: Tue, 20 Jul 2021 12:04:58 -0400
Message-Id: <20210720160501.9850-1-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 21 Jul 2021 02:46:07 +1000
Subject: [Skiboot-stable] [PATCH v1 1/4] secvar: ensure ESL buf size is at
 least what ESL header expects
X-BeenThere: skiboot-stable@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Patches, review, and discussion for stable releases of skiboot"
 <skiboot-stable.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot-stable/>
List-Post: <mailto:skiboot-stable@lists.ozlabs.org>
List-Help: <mailto:skiboot-stable-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, Nick Child <nnac123@gmail.com>, nayna@linux.ibm.com,
 dja@axtens.net
Errors-To: 
 skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot-stable"
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Nick Child <nnac123@gmail.com>

commit ID: 8a31163a0271f11b4597bca4e803f559e38e3d24 from upstream.

Currently, `get_esl_cert` receives a data buffer containing an ESL and its
length. It is to return a data buffer of the certificate that is contained
inside the ESL. The ESL has header info that contains the certificates
`size`  and the size of the header (`sig_data_offset`). We use this
information to copy `size` bytes starting `sig_data_offset` bytes after the
given ESL buffer. Currently we are checking that the length of the ESL
buffer is at least `sig_data_offset` bytes but we are not checking that it
also has enough bytes to also contain `size` bytes of the certificate. This
becomes problematic if some data at the end of the ESL gets lost. Since the
ESL claims it has more than it actually does, this will lead to a buffer
over-read. What is even worse, is that this buffer over-read can go
unnoticed since the last 256 bytes of the ESL are usually the x509 2048 bit
signature so the extra garbage bytes that are copied will appear to be a
valid rsa signature.

To resolve this, this commit ensures that the ESL buffer length is large
enough to hold the data that it claims it contains.

Lastly, a new test case is added to test the described condition. It
includes a new test file `trimmedKEK.h` which contains a struct a valid KEK
auth file minus 5 bytes, therefore making it invalid.

Fixes: 87562bc5c1a6 ("secvar/backend: add edk2 derived key updates processing")
Signed-off-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
---

All patches have been cherry-picked off the upstream master branch.
The reason for backports being to fix current secvar processing behavior 
to bettrer match the intended behavior. See commit messages for a more 
elaborate explanation on backport importance. All commits also come with
a test case to show the specific bug they are fixing.

---

 libstb/secvar/backend/edk2-compat-process.c  |   6 +-
 libstb/secvar/test/data/trimmedKEK.h         | 161 +++++++++++++++++++
 libstb/secvar/test/secvar-test-edk2-compat.c |  16 ++
 3 files changed, 182 insertions(+), 1 deletion(-)
 create mode 100644 libstb/secvar/test/data/trimmedKEK.h

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 037c1b49..55b50d68 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -135,8 +135,12 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
 	sig_data_offset = sizeof(EFI_SIGNATURE_LIST)
 			  + le32_to_cpu(list->SignatureHeaderSize)
 			  + 16 * sizeof(uint8_t);
-	if (sig_data_offset > buflen)
+
+	/* Ensure this ESL does not overflow the bounds of the buffer */
+	if (sig_data_offset + size > buflen) {
+		prlog(PR_ERR, "Number of bytes of ESL data is less than size specified\n");
 		return OPAL_PARAMETER;
+	}
 
 	*cert = zalloc(size);
 	if (!(*cert))
diff --git a/libstb/secvar/test/data/trimmedKEK.h b/libstb/secvar/test/data/trimmedKEK.h
new file mode 100644
index 00000000..6600d254
--- /dev/null
+++ b/libstb/secvar/test/data/trimmedKEK.h
@@ -0,0 +1,161 @@
+unsigned char trimmedKEK_auth[]  = {
+0xe4 ,0x07 ,0x09 ,0x0e ,0x0e ,0x22 ,0x2e ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
+,0xd3 ,0x05 ,0x00 ,0x00 ,0x00 ,0x02 ,0xf1 ,0x0e  ,0x9d ,0xd2 ,0xaf ,0x4a ,0xdf ,0x68 ,0xee ,0x49
+,0x8a ,0xa9 ,0x34 ,0x7d ,0x37 ,0x56 ,0x65 ,0xa7  ,0x30 ,0x82 ,0x05 ,0xb7 ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x02 ,0xa0  ,0x82 ,0x05 ,0xa8 ,0x30 ,0x82 ,0x05 ,0xa4 ,0x02
+,0x01 ,0x01 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x09  ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02
+,0x01 ,0x05 ,0x00 ,0x30 ,0x0b ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x01
+,0xa0 ,0x82 ,0x03 ,0xca ,0x30 ,0x82 ,0x03 ,0xc6  ,0x30 ,0x82 ,0x02 ,0xae ,0xa0 ,0x03 ,0x02 ,0x01
+,0x02 ,0x02 ,0x09 ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20  ,0x41 ,0x00 ,0xa8 ,0xeb ,0x30 ,0x0d ,0x06 ,0x09
+,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01  ,0x0b ,0x05 ,0x00 ,0x30 ,0x78 ,0x31 ,0x0b ,0x30
+,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02  ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03
+,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78  ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03
+,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73  ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06
+,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42  ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55
+,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x03
+,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d  ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d
+,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79  ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62
+,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x1e ,0x17  ,0x0d ,0x32 ,0x30 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31
+,0x35 ,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x17 ,0x0d  ,0x32 ,0x31 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31 ,0x35
+,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x30 ,0x78 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06
+,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c  ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54
+,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d  ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41
+,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30  ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03
+,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06  ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54
+,0x43 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55  ,0x04 ,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f
+,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e
+,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40  ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30
+,0x82 ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01
+,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30  ,0x82 ,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00
+,0xaf ,0xca ,0xd3 ,0xaa ,0xb0 ,0xc7 ,0xb5 ,0x2e  ,0x3b ,0x12 ,0x27 ,0x68 ,0x2d ,0x90 ,0x17 ,0xc4
+,0x21 ,0x93 ,0x58 ,0x53 ,0xd7 ,0xa6 ,0x2f ,0x40  ,0xfa ,0x37 ,0x8e ,0x7a ,0x85 ,0x5b ,0xd3 ,0xa8
+,0x9d ,0xac ,0xa1 ,0x6a ,0x52 ,0xeb ,0x07 ,0x05  ,0x8c ,0x74 ,0x00 ,0xbe ,0xa6 ,0x54 ,0x1b ,0x1d
+,0x73 ,0xa9 ,0x41 ,0x67 ,0xfd ,0xd4 ,0xdb ,0xcd  ,0x49 ,0xed ,0x63 ,0x29 ,0x97 ,0xb5 ,0x6d ,0xea
+,0x69 ,0xbc ,0x24 ,0x2c ,0x1b ,0x09 ,0x32 ,0x09  ,0x65 ,0x99 ,0xc4 ,0xd0 ,0x76 ,0x9a ,0x07 ,0xd9
+,0x69 ,0x5e ,0x30 ,0xbe ,0x6f ,0x67 ,0x0b ,0xa4  ,0x90 ,0xe0 ,0x3e ,0xd7 ,0xf9 ,0xe8 ,0xb6 ,0x20
+,0xc6 ,0xd8 ,0x4e ,0xfd ,0x7e ,0x3f ,0x6f ,0xf3  ,0x97 ,0x09 ,0x82 ,0xec ,0x81 ,0x53 ,0x10 ,0x32
+,0x8c ,0xa8 ,0xfe ,0xf4 ,0x77 ,0x48 ,0x0d ,0x84  ,0x83 ,0x14 ,0xeb ,0xa4 ,0x75 ,0xaa ,0x30 ,0x03
+,0x3a ,0xa5 ,0x54 ,0x7e ,0xb3 ,0x2e ,0x2b ,0x95  ,0xcf ,0x4d ,0x8c ,0x67 ,0x6d ,0xf1 ,0x48 ,0xc1
+,0x96 ,0x0b ,0xb2 ,0x2d ,0x07 ,0x27 ,0x65 ,0xa3  ,0x3b ,0x96 ,0x76 ,0xc4 ,0xa9 ,0x2c ,0x65 ,0xcb
+,0xa4 ,0xaf ,0x75 ,0xec ,0x7c ,0x90 ,0x3a ,0x8e  ,0x78 ,0xa6 ,0xa5 ,0x4a ,0x99 ,0x79 ,0x51 ,0x20
+,0x60 ,0x67 ,0x9a ,0xc8 ,0x96 ,0x03 ,0xa1 ,0x98  ,0xfc ,0x88 ,0x24 ,0x50 ,0xaf ,0xb7 ,0x30 ,0xb7
+,0x68 ,0x8a ,0x83 ,0xbc ,0x62 ,0xff ,0x93 ,0x70  ,0xc7 ,0x72 ,0xf3 ,0x95 ,0x48 ,0xf1 ,0x9c ,0x5e
+,0x1a ,0x66 ,0x2e ,0xa1 ,0x1d ,0x4a ,0xf7 ,0x9d  ,0x04 ,0x52 ,0xdd ,0x19 ,0xfe ,0x1e ,0x4e ,0x2d
+,0x9b ,0x9e ,0x6f ,0x7f ,0x0b ,0x93 ,0x0b ,0x3b  ,0x08 ,0x81 ,0x68 ,0x9b ,0x0d ,0x45 ,0xf7 ,0xd6
+,0x75 ,0xf7 ,0xb6 ,0xbf ,0xa9 ,0x63 ,0x24 ,0xab  ,0x92 ,0x38 ,0x3a ,0xac ,0x04 ,0x69 ,0x14 ,0x7f
+,0x02 ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30  ,0x51 ,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e
+,0x04 ,0x16 ,0x04 ,0x14 ,0x89 ,0x84 ,0xb5 ,0xcf  ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d ,0xfe
+,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc ,0xe5  ,0x30 ,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04
+,0x18 ,0x30 ,0x16 ,0x80 ,0x14 ,0x89 ,0x84 ,0xb5  ,0xcf ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d
+,0xfe ,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc  ,0xe5 ,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13
+,0x01 ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01  ,0x01 ,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05  ,0x00 ,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x37 ,0xba
+,0x93 ,0xe4 ,0x7e ,0xcd ,0xb2 ,0xa4 ,0xe2 ,0x75  ,0x37 ,0x53 ,0xbc ,0x43 ,0x47 ,0xc9 ,0x94 ,0x51
+,0xa9 ,0x14 ,0x28 ,0x0a ,0xa6 ,0xa1 ,0x90 ,0x0a  ,0xbc ,0x50 ,0x67 ,0x85 ,0x47 ,0xb7 ,0xfc ,0xe3
+,0xd5 ,0x45 ,0xde ,0x89 ,0x99 ,0x46 ,0xba ,0xff  ,0x32 ,0x45 ,0x70 ,0x22 ,0x84 ,0x9e ,0x35 ,0x9c
+,0x0a ,0xea ,0x63 ,0xf5 ,0xc7 ,0x7c ,0xe0 ,0xc1  ,0x9f ,0xb1 ,0xb6 ,0xe0 ,0xc1 ,0x1c ,0xb1 ,0xba
+,0xeb ,0x6d ,0x53 ,0xde ,0xb2 ,0xf9 ,0xf8 ,0x4a  ,0x2c ,0x48 ,0xf4 ,0x12 ,0xcb ,0x26 ,0x3c ,0xe9
+,0x1c ,0xb1 ,0xd3 ,0x36 ,0x48 ,0xa4 ,0xec ,0x24  ,0x35 ,0xf3 ,0x47 ,0xa9 ,0xf7 ,0xe1 ,0xfb ,0x38
+,0xf0 ,0x23 ,0x46 ,0x02 ,0xf5 ,0x76 ,0xd1 ,0x39  ,0xf9 ,0x58 ,0x50 ,0x5c ,0xe9 ,0x39 ,0xa8 ,0x97
+,0x41 ,0x66 ,0xa0 ,0x8a ,0xb2 ,0xd9 ,0x83 ,0x2d  ,0xed ,0xb0 ,0x49 ,0x2b ,0x6a ,0xc4 ,0xd8 ,0x37
+,0xc0 ,0x6f ,0x51 ,0xab ,0x46 ,0x26 ,0x0f ,0x90  ,0x2b ,0x63 ,0xc2 ,0x87 ,0x75 ,0xaa ,0x47 ,0xbc
+,0xbe ,0x9d ,0x54 ,0x17 ,0x54 ,0xa0 ,0x7c ,0x1b  ,0x58 ,0x82 ,0x3f ,0x44 ,0x0b ,0xc1 ,0xa6 ,0xcc
+,0xe2 ,0x53 ,0xde ,0x6e ,0xf7 ,0x52 ,0x0d ,0x83  ,0xb7 ,0x03 ,0xfd ,0xed ,0x4c ,0xc3 ,0x76 ,0xe6
+,0x14 ,0xb9 ,0xc9 ,0x45 ,0xc0 ,0x40 ,0x45 ,0x4a  ,0x70 ,0x40 ,0xe6 ,0x1a ,0x10 ,0x76 ,0x0c ,0xab
+,0x2b ,0x9e ,0xe9 ,0xfd ,0x29 ,0xcb ,0xf8 ,0xce  ,0x11 ,0xf7 ,0x27 ,0x43 ,0xbb ,0xcd ,0xba ,0x22
+,0x5b ,0x61 ,0x5f ,0x63 ,0x16 ,0xb3 ,0x2b ,0x83  ,0x75 ,0x98 ,0x2e ,0xca ,0x0a ,0x9e ,0x8c ,0x5a
+,0xd5 ,0x77 ,0xb5 ,0xa2 ,0x74 ,0xeb ,0x94 ,0x4f  ,0x8f ,0xf6 ,0xc3 ,0x30 ,0x9c ,0xf4 ,0x6e ,0x9b
+,0x5d ,0xd7 ,0x0f ,0x43 ,0x16 ,0xba ,0x5e ,0xa3  ,0xe3 ,0x8b ,0x8f ,0x74 ,0x27 ,0xaf ,0x31 ,0x82
+,0x01 ,0xb1 ,0x30 ,0x82 ,0x01 ,0xad ,0x02 ,0x01  ,0x01 ,0x30 ,0x81 ,0x85 ,0x30 ,0x78 ,0x31 ,0x0b
+,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13  ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06
+,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65  ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06
+,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75  ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a
+,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49  ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03
+,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30  ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61  ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69
+,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x02 ,0x09  ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20 ,0x41 ,0x00 ,0xa8
+,0xeb ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48  ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 ,0x01 ,0x05 ,0x00
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x04
+,0x82 ,0x01 ,0x00 ,0x9a ,0x63 ,0x09 ,0xe0 ,0x7f  ,0xb8 ,0x20 ,0xd5 ,0x19 ,0x63 ,0x05 ,0x37 ,0x22
+,0x8d ,0xe4 ,0x03 ,0x0e ,0xd1 ,0x62 ,0x05 ,0x90  ,0xb4 ,0x49 ,0x9b ,0x03 ,0x1c ,0x4b ,0xd8 ,0x0f
+,0x0f ,0xf5 ,0x43 ,0x17 ,0xe9 ,0xf6 ,0xb4 ,0x5f  ,0x41 ,0x0f ,0xc1 ,0x7e ,0x92 ,0x5d ,0x39 ,0x53
+,0xd7 ,0x5c ,0x7a ,0x0b ,0x00 ,0x71 ,0x62 ,0x29  ,0x7c ,0xb2 ,0xf7 ,0x85 ,0xc6 ,0x77 ,0x34 ,0x9c
+,0x6c ,0xdc ,0x08 ,0x8d ,0x11 ,0x93 ,0x5c ,0x8c  ,0x0d ,0x76 ,0xc0 ,0x27 ,0xc2 ,0x1f ,0x15 ,0x32
+,0x72 ,0xdc ,0xff ,0xfc ,0xf1 ,0x56 ,0xbd ,0x82  ,0xe4 ,0xe4 ,0xc0 ,0xbd ,0x76 ,0xaa ,0x99 ,0x16
+,0x89 ,0x26 ,0x43 ,0x2c ,0xef ,0xa8 ,0xd4 ,0x2e  ,0x01 ,0x77 ,0x13 ,0x32 ,0xbe ,0xdc ,0xea ,0xaf
+,0xc0 ,0x18 ,0x4d ,0x90 ,0xb5 ,0x8d ,0x07 ,0xd7  ,0x86 ,0x21 ,0x71 ,0x3f ,0xf7 ,0x18 ,0xa9 ,0x41
+,0x3b ,0x97 ,0xf9 ,0x4f ,0xe8 ,0x3a ,0x91 ,0x8b  ,0xe8 ,0xf1 ,0xae ,0x99 ,0x63 ,0x5d ,0xc1 ,0x63
+,0xc2 ,0x74 ,0xdf ,0xeb ,0x3e ,0x10 ,0xa5 ,0x34  ,0x24 ,0x95 ,0x1d ,0xba ,0xd2 ,0xa0 ,0xae ,0x78
+,0x94 ,0x0b ,0xfd ,0x75 ,0x4b ,0x55 ,0x4c ,0x1d  ,0x75 ,0x91 ,0xc9 ,0xd0 ,0x1c ,0x48 ,0x01 ,0x84
+,0x35 ,0xbd ,0xcd ,0xbf ,0xbc ,0x5b ,0xd0 ,0x83  ,0xf4 ,0x0d ,0x19 ,0x4f ,0x9c ,0xa7 ,0xfe ,0x60
+,0x24 ,0x9b ,0x06 ,0x9d ,0x7e ,0xe5 ,0x3b ,0x69  ,0x7f ,0x6a ,0x09 ,0x73 ,0xb9 ,0x7d ,0x23 ,0x70
+,0x6e ,0x70 ,0x5e ,0x20 ,0x67 ,0xda ,0x65 ,0xfe  ,0x27 ,0x07 ,0x27 ,0xee ,0x38 ,0x22 ,0xd1 ,0x12
+,0x94 ,0xf6 ,0x8c ,0x14 ,0x95 ,0xd7 ,0x8e ,0xc6  ,0x43 ,0x71 ,0xc1 ,0xcf ,0x96 ,0xcb ,0x7b ,0xa7
+,0x98 ,0x7b ,0x83 ,0x65 ,0x2c ,0xd9 ,0x9f ,0xb3  ,0xff ,0x05 ,0xa3 ,0x70 ,0xc0 ,0x52 ,0x8c ,0xf3
+,0x2c ,0x2e ,0x3d ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4  ,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 ,0x5c
+,0x2b ,0xf0 ,0x72 ,0xf8 ,0x03 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0xdc ,0x03 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30
+,0x82 ,0x03 ,0xc8 ,0x30 ,0x82 ,0x02 ,0xb0 ,0xa0  ,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 ,0xb0
+,0x40 ,0xaf ,0x25 ,0xfd ,0xbc ,0xd9 ,0xb1 ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x79  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30  ,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05
+,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30  ,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06
+,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c  ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c
+,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a  ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c
+,0x54 ,0x43 ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03  ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b
+,0x31 ,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86  ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16
+,0x10 ,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69  ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f
+,0x6d ,0x30 ,0x1e ,0x17 ,0x0d ,0x32 ,0x30 ,0x30  ,0x39 ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35
+,0x35 ,0x5a ,0x17 ,0x0d ,0x32 ,0x31 ,0x30 ,0x39  ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35 ,0x35
+,0x5a ,0x30 ,0x79 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06  ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02 ,0x55 ,0x53
+,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03 ,0x55 ,0x04  ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78 ,0x61 ,0x73
+,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03 ,0x55 ,0x04  ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73 ,0x74 ,0x69
+,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55  ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42 ,0x4d ,0x31
+,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b  ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31 ,0x0c ,0x30
+,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03  ,0x4b ,0x45 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d ,0x06
+,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01  ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79 ,0x6e
+,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d  ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x82 ,0x01 ,0x22
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03
+,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 ,0x0a  ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xc1 ,0xeb ,0xb8
+,0xf7 ,0x3f ,0x53 ,0xb6 ,0xa1 ,0x8a ,0x3f ,0xca  ,0x99 ,0x56 ,0xbc ,0x3b ,0xdf ,0xbf ,0x70 ,0x0a
+,0x78 ,0x5b ,0x06 ,0xc1 ,0xeb ,0xbe ,0x4e ,0xd7  ,0xd9 ,0xe9 ,0x57 ,0x1f ,0xc4 ,0xf4 ,0xe5 ,0x78
+,0xb6 ,0x14 ,0xda ,0x87 ,0x43 ,0x31 ,0xad ,0x6d  ,0x9f ,0xae ,0x6c ,0x44 ,0xe3 ,0x12 ,0xe4 ,0xf1
+,0xa4 ,0x81 ,0xf8 ,0x7d ,0x09 ,0x0e ,0xa6 ,0x6a  ,0xe1 ,0xf7 ,0xcb ,0xe9 ,0x63 ,0xd6 ,0xd6 ,0x58
+,0x28 ,0x10 ,0xf2 ,0xb9 ,0xcf ,0xd7 ,0x85 ,0x95  ,0x0b ,0x24 ,0x51 ,0xe8 ,0x5a ,0x08 ,0x74 ,0xbc
+,0x42 ,0x9b ,0xd6 ,0x84 ,0xcd ,0x5e ,0xe5 ,0x61  ,0x83 ,0x7c ,0x5f ,0x0e ,0x3a ,0x9d ,0x3d ,0x6d
+,0x84 ,0xe2 ,0xc0 ,0x26 ,0x64 ,0x35 ,0x80 ,0x6c  ,0xb1 ,0x37 ,0x72 ,0x38 ,0x00 ,0xa0 ,0x90 ,0x51
+,0xd3 ,0x64 ,0x01 ,0x62 ,0x70 ,0xf8 ,0xa4 ,0xe4  ,0xc8 ,0x87 ,0x4c ,0xe1 ,0x76 ,0xd7 ,0xe6 ,0xbf
+,0xed ,0x08 ,0xba ,0xde ,0x42 ,0x90 ,0x00 ,0xb7  ,0x19 ,0x81 ,0x91 ,0xd0 ,0x18 ,0xcb ,0x03 ,0xe6
+,0xf5 ,0xf9 ,0x31 ,0x2b ,0x56 ,0xc3 ,0x21 ,0x39  ,0x4d ,0x9a ,0x63 ,0x0a ,0xb7 ,0x1c ,0xa9 ,0xdc
+,0xce ,0xa9 ,0xc4 ,0xe0 ,0x0a ,0xa4 ,0x53 ,0x8f  ,0x78 ,0xd1 ,0xc0 ,0x3f ,0xc2 ,0x8e ,0x8a ,0x37
+,0x52 ,0x42 ,0x60 ,0x97 ,0xb3 ,0x53 ,0xaa ,0xa4  ,0x4f ,0x98 ,0x7e ,0xa5 ,0x2a ,0xe1 ,0x52 ,0xfa
+,0x9f ,0xc1 ,0x32 ,0xf7 ,0x15 ,0x12 ,0x62 ,0x6b  ,0x5a ,0x4d ,0xfe ,0x22 ,0x8d ,0x88 ,0x87 ,0xfd
+,0x83 ,0x2f ,0xaa ,0x1a ,0xb8 ,0xad ,0x3d ,0x4f  ,0xdc ,0xe0 ,0x39 ,0x8b ,0x88 ,0xed ,0xc6 ,0xf5
+,0xee ,0x32 ,0xea ,0xd6 ,0x25 ,0xcf ,0x91 ,0x66  ,0x77 ,0x4c ,0xa1 ,0x0c ,0x6a ,0x7b ,0x6e ,0xb2
+,0x72 ,0xa8 ,0xf4 ,0xc7 ,0xeb ,0xa4 ,0x91 ,0xda  ,0x5d ,0x14 ,0xf9 ,0x9e ,0xe9 ,0x02 ,0x03 ,0x01
+,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 ,0x1d  ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04
+,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25 ,0xcf  ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad ,0xb1
+,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x1f ,0x06  ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16
+,0x80 ,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25  ,0xcf ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad
+,0xb1 ,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x0f  ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff
+,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 ,0x82  ,0x01 ,0x01 ,0x00 ,0x7a ,0xc8 ,0xc9 ,0x0e ,0x45
+,0x1c ,0xa6 ,0xce ,0xd5 ,0xdb ,0x9c ,0x5d ,0x95  ,0x8b ,0x8b ,0xbc ,0x90 ,0xca ,0x98 ,0xd1 ,0xe9
+,0x4b ,0xfb ,0xf3 ,0xef ,0x48 ,0xb0 ,0x9e ,0x0d  ,0x95 ,0x0f ,0x3a ,0xa0 ,0xb6 ,0x93 ,0x9f ,0xc6
+,0xf7 ,0xca ,0xca ,0xf1 ,0x04 ,0x90 ,0x4d ,0x6b  ,0x57 ,0xc1 ,0xe5 ,0x85 ,0xfd ,0x87 ,0x09 ,0xe5
+,0xaf ,0x98 ,0x89 ,0x32 ,0x27 ,0x35 ,0x85 ,0xcf  ,0xe1 ,0x1f ,0xaf ,0xc0 ,0x8c ,0x3f ,0x2a ,0xba
+,0xa4 ,0xfc ,0xaa ,0x40 ,0x02 ,0x7c ,0x57 ,0xd9  ,0x73 ,0xc6 ,0xc0 ,0x59 ,0xcb ,0x47 ,0x71 ,0x07
+,0x1a ,0xfe ,0x46 ,0xb1 ,0x81 ,0x14 ,0x6b ,0xa5  ,0xeb ,0xe7 ,0x9c ,0x2b ,0x87 ,0xee ,0x72 ,0x96
+,0xe0 ,0xb0 ,0x11 ,0x86 ,0x33 ,0x95 ,0xdf ,0x6e  ,0x9c ,0x3f ,0x0f ,0xc1 ,0x46 ,0x8c ,0x53 ,0x12
+,0xf1 ,0xd9 ,0xa8 ,0xee ,0x04 ,0xc5 ,0x71 ,0x52  ,0x22 ,0x13 ,0x0f ,0x91 ,0x0c ,0x73 ,0xca ,0x34
+,0xb1 ,0x36 ,0x5f ,0x8c ,0x2e ,0x0f ,0x3a ,0x04  ,0x42 ,0xfe ,0x45 ,0x82 ,0x29 ,0x56 ,0x5e ,0xe5
+,0x4c ,0xeb ,0x4b ,0xa6 ,0xe5 ,0xe0 ,0x1d ,0x74  ,0xc0 ,0x5a ,0x2f ,0x42 ,0xa5 ,0xf2 ,0x65 ,0xd5
+,0x4d ,0x3b ,0x22 ,0xd2 ,0x96 ,0x42 ,0xcf ,0xbd  ,0xd7 ,0x8b ,0x37 ,0x7a ,0xb6 ,0xd9 ,0xd4 ,0xd7
+,0x45 ,0x47 ,0x3b ,0x3c ,0xb3 ,0xd9 ,0x29 ,0x69  ,0x91 ,0x7d ,0x4c ,0x06 ,0xad ,0x6c ,0xea ,0x62
+,0xf1 ,0xf7 ,0xec ,0x67 ,0xae ,0xd5 ,0x43 ,0xd0  ,0xab ,0xb8 ,0xbf ,0xa4 ,0x28 ,0xd4 ,0x75 ,0xd2
+,0x3f ,0x53 ,0x5d ,0xa8 ,0x09 ,0x46 ,0x89 ,0x7f  ,0x84 ,0x36 ,0xad ,0x78 ,0x41 ,0x03 ,0xf4 ,0xc4
+,0x43 ,0x43 ,0xdc ,0x52 ,0xc6 ,0xff ,0xab ,0xd6  ,0x8c ,0x7f ,0xc0 ,0xab ,0x67 ,0x5b ,0x0b ,0xa9
+,0x6a ,0xd2 ,0x85 ,0x71 ,0x9f ,0xc2};
+
+unsigned int trimmedKEK_auth_len = 2518;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 8259ffa1..a769863b 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -12,6 +12,7 @@
 #include "./data/KEK.h"
 #include "./data/invalidkek.h"
 #include "./data/malformedkek.h"
+#include "./data/trimmedKEK.h"
 #include "./data/db.h"
 #include "./data/dbsigneddata.h"
 #include "./data/OldTSKEK.h"
@@ -196,6 +197,21 @@ int run_test()
 	tmp = find_secvar("db", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 
+	/* Add trimmed KEK, .process(), should fail. */
+	printf("Add trimmed KEK\n");
+	tmp = new_secvar("KEK", 4, trimmedKEK_auth, trimmedKEK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("KEK", 4, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 == tmp->data_size);
+
 	/* Add valid KEK, .process(), succeeds. */
 	printf("Add KEK");
 	tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);

From patchwork Tue Jul 20 16:04:59 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1507668
Return-Path: 
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=TzAzZ79Q;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GTl356zx1z9sWd
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:09 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GTl354t7tz3bSn
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:09 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=TzAzZ79Q;
	dkim-atps=neutral
X-Original-To: skiboot-stable@lists.ozlabs.org
Delivered-To: skiboot-stable@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::72b;
 helo=mail-qk1-x72b.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=TzAzZ79Q; dkim-atps=neutral
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com
 [IPv6:2607:f8b0:4864:20::72b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GTk7w4TChz2xKM
 for <skiboot-stable@lists.ozlabs.org>; Wed, 21 Jul 2021 02:05:15 +1000 (AEST)
Received: by mail-qk1-x72b.google.com with SMTP id 23so20520476qke.0
 for <skiboot-stable@lists.ozlabs.org>; Tue, 20 Jul 2021 09:05:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=6V+kLOry1SSlUa07RqqgV3a4f0cQupZlp+9V3SEh8Wk=;
 b=TzAzZ79Q+aWVvqBZ3TcI0hT0YBWhEcrEznKtTN/aSRqVhEfUXUocRUDh6CAeqJA4+n
 aPfOTJUln4BffhImuJiN/8BP39wv5kwg0a003eVOKz3+wWBTGbAaFxNpHUubyHc1BB6z
 kKpEQYcyzqo/soMMQJXHJbFk5B1SyUAj1tsW/TMxsP6yRJVL8NmxMDRL2/kVQK9dEjWQ
 UFcABFSXz8juzF52UpPGRcbQegUjYBOXlWBy2hicLU89nIY0SLZenz6i2NtWv/Y9IC1L
 R4EfMJ8UW2e9Cw9DCsG8td3JZQhFx5G6d7pCE/t85EnoXbuCxuz/OrzxzTQdZi3Upyyg
 MoSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=6V+kLOry1SSlUa07RqqgV3a4f0cQupZlp+9V3SEh8Wk=;
 b=Q3/1LeoFdatqFPlH7mDCSgWkD24HL9+xJUcegKP6IJRwH3red6qaMIE+NgoFYDyKoA
 i4JTdoCDgx4Orn/3+Fd2KbaRcPsl4vtudR3oIyKPEYkT9E71RPLZ5CggeEFWQIITn9gT
 J1EFSyPRoRarNnKS6XAqOg9pXUMAWh1XmQCiQTTCnLkkZScSSG8h1vxvOfn8L9QhGgZr
 orIUk188OhycqfAA8uF8Q23v5NxO5YZhkxacs+T0PzXGP4bsldj8dnPwgdYpeV7pwZBx
 ZZo0eHBlZeJO0WM13AxBXXc41C/eSmEST/3ZCkEMzjvG/fUTsOCCG5pzzbFmFtia918T
 ZNDg==
X-Gm-Message-State: AOAM532/Vyw8GLv29nX6Jg4RM0hTMytuKgwjTYaZW7BX5atWto7+fOEU
 RElbs8I/3MQwojxuxYYQaTny1r3t4lwRdg==
X-Google-Smtp-Source: 
 ABdhPJwobxSr6zgGtGI60KfDqiqDeWrX7YL3hhK1G5AJmDAUkFxPhE1rCigVCVpH6TfJub2Z1tkaFQ==
X-Received: by 2002:a05:620a:e09:: with SMTP id
 y9mr29735943qkm.359.1626797112577;
 Tue, 20 Jul 2021 09:05:12 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:4391:e426:6e2:788b])
 by smtp.gmail.com with ESMTPSA id 67sm7964727qtf.83.2021.07.20.09.05.11
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 20 Jul 2021 09:05:12 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot-stable@lists.ozlabs.org
Date: Tue, 20 Jul 2021 12:04:59 -0400
Message-Id: <20210720160501.9850-2-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210720160501.9850-1-nick.child@ibm.com>
References: <20210720160501.9850-1-nick.child@ibm.com>
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 21 Jul 2021 02:46:07 +1000
Subject: [Skiboot-stable] [PATCH v1 2/4] secvar: Make `validate_esl_list`
 iterate through esl chain
X-BeenThere: skiboot-stable@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Patches, review, and discussion for stable releases of skiboot"
 <skiboot-stable.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot-stable/>
List-Post: <mailto:skiboot-stable@lists.ozlabs.org>
List-Help: <mailto:skiboot-stable-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, Nick Child <nnac123@gmail.com>, nayna@linux.ibm.com,
 dja@axtens.net
Errors-To: 
 skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot-stable"
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Nick Child <nnac123@gmail.com>

commit ID: 0917fd18ac30f8935563d26629a02f210a485687 from upstream.

Currently, the loop in validate_esl_list is not iterating through the ESL
entries. As a consequence, all of entries after the first are not being
validated and can contain any data. In order to iterate, the pointer to the
esl buffer must be incremented by the amount of already read bytes.

This commit also adds a new test case and file. The file is
`multipletrimmedKEK.h` the array is very similar to the one in `trimmedKEK.h`
except this one only has an invalid ESL as the second ESL in the chain. This
then tests the condition that this commit tests because only the second ESL
is invalid.

Fixes: 87562bc5c1a6 ("secvar/backend: add edk2 derived key updates processing")
Signed-off-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c  |   7 +-
 libstb/secvar/test/data/multipletrimmedKEK.h | 225 +++++++++++++++++++
 libstb/secvar/test/secvar-test-edk2-compat.c |  16 ++
 3 files changed, 244 insertions(+), 4 deletions(-)
 create mode 100644 libstb/secvar/test/data/multipletrimmedKEK.h

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 55b50d68..81ddb9a6 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -262,11 +262,10 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 	int eslvarsize = size;
 	int eslsize;
 	int rc = OPAL_SUCCESS;
-	int offset = 0;
 	EFI_SIGNATURE_LIST *list = NULL;
 
 	while (eslvarsize > 0) {
-		prlog(PR_DEBUG, "esl var size size is %d offset is %d\n", eslvarsize, offset);
+		prlog(PR_DEBUG, "esl var size is %d offset is %lu\n", eslvarsize, size - eslvarsize);
 		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
 			break;
 
@@ -312,7 +311,7 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 		count++;
 
 		/* Look for the next ESL */
-		offset = offset + eslsize;
+		esl = esl + eslsize;
 		eslvarsize = eslvarsize - eslsize;
 		free(data);
 		/* Since we are going to allocate again in the next iteration */
@@ -488,7 +487,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 
 	/* Variable is not empty */
 	while (eslvarsize > 0) {
-		prlog(PR_DEBUG, "esl var size size is %d offset is %d\n", eslvarsize, offset);
+		prlog(PR_DEBUG, "esl var size is %d offset is %d\n", eslvarsize, offset);
 		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
 			break;
 
diff --git a/libstb/secvar/test/data/multipletrimmedKEK.h b/libstb/secvar/test/data/multipletrimmedKEK.h
new file mode 100644
index 00000000..bff93bf0
--- /dev/null
+++ b/libstb/secvar/test/data/multipletrimmedKEK.h
@@ -0,0 +1,225 @@
+unsigned char multipletrimmedKEK_auth[] = {
+0xe4 ,0x07 ,0x09 ,0x0e ,0x0e ,0x37 ,0x12 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
+,0xd3 ,0x05 ,0x00 ,0x00 ,0x00 ,0x02 ,0xf1 ,0x0e  ,0x9d ,0xd2 ,0xaf ,0x4a ,0xdf ,0x68 ,0xee ,0x49
+,0x8a ,0xa9 ,0x34 ,0x7d ,0x37 ,0x56 ,0x65 ,0xa7  ,0x30 ,0x82 ,0x05 ,0xb7 ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x02 ,0xa0  ,0x82 ,0x05 ,0xa8 ,0x30 ,0x82 ,0x05 ,0xa4 ,0x02
+,0x01 ,0x01 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x09  ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02
+,0x01 ,0x05 ,0x00 ,0x30 ,0x0b ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x01
+,0xa0 ,0x82 ,0x03 ,0xca ,0x30 ,0x82 ,0x03 ,0xc6  ,0x30 ,0x82 ,0x02 ,0xae ,0xa0 ,0x03 ,0x02 ,0x01
+,0x02 ,0x02 ,0x09 ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20  ,0x41 ,0x00 ,0xa8 ,0xeb ,0x30 ,0x0d ,0x06 ,0x09
+,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01  ,0x0b ,0x05 ,0x00 ,0x30 ,0x78 ,0x31 ,0x0b ,0x30
+,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02  ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03
+,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78  ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03
+,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73  ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06
+,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42  ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55
+,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x03
+,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d  ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d
+,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79  ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62
+,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x1e ,0x17  ,0x0d ,0x32 ,0x30 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31
+,0x35 ,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x17 ,0x0d  ,0x32 ,0x31 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31 ,0x35
+,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x30 ,0x78 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06
+,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c  ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54
+,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d  ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41
+,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30  ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03
+,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06  ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54
+,0x43 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55  ,0x04 ,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f
+,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e
+,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40  ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30
+,0x82 ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01
+,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30  ,0x82 ,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00
+,0xaf ,0xca ,0xd3 ,0xaa ,0xb0 ,0xc7 ,0xb5 ,0x2e  ,0x3b ,0x12 ,0x27 ,0x68 ,0x2d ,0x90 ,0x17 ,0xc4
+,0x21 ,0x93 ,0x58 ,0x53 ,0xd7 ,0xa6 ,0x2f ,0x40  ,0xfa ,0x37 ,0x8e ,0x7a ,0x85 ,0x5b ,0xd3 ,0xa8
+,0x9d ,0xac ,0xa1 ,0x6a ,0x52 ,0xeb ,0x07 ,0x05  ,0x8c ,0x74 ,0x00 ,0xbe ,0xa6 ,0x54 ,0x1b ,0x1d
+,0x73 ,0xa9 ,0x41 ,0x67 ,0xfd ,0xd4 ,0xdb ,0xcd  ,0x49 ,0xed ,0x63 ,0x29 ,0x97 ,0xb5 ,0x6d ,0xea
+,0x69 ,0xbc ,0x24 ,0x2c ,0x1b ,0x09 ,0x32 ,0x09  ,0x65 ,0x99 ,0xc4 ,0xd0 ,0x76 ,0x9a ,0x07 ,0xd9
+,0x69 ,0x5e ,0x30 ,0xbe ,0x6f ,0x67 ,0x0b ,0xa4  ,0x90 ,0xe0 ,0x3e ,0xd7 ,0xf9 ,0xe8 ,0xb6 ,0x20
+,0xc6 ,0xd8 ,0x4e ,0xfd ,0x7e ,0x3f ,0x6f ,0xf3  ,0x97 ,0x09 ,0x82 ,0xec ,0x81 ,0x53 ,0x10 ,0x32
+,0x8c ,0xa8 ,0xfe ,0xf4 ,0x77 ,0x48 ,0x0d ,0x84  ,0x83 ,0x14 ,0xeb ,0xa4 ,0x75 ,0xaa ,0x30 ,0x03
+,0x3a ,0xa5 ,0x54 ,0x7e ,0xb3 ,0x2e ,0x2b ,0x95  ,0xcf ,0x4d ,0x8c ,0x67 ,0x6d ,0xf1 ,0x48 ,0xc1
+,0x96 ,0x0b ,0xb2 ,0x2d ,0x07 ,0x27 ,0x65 ,0xa3  ,0x3b ,0x96 ,0x76 ,0xc4 ,0xa9 ,0x2c ,0x65 ,0xcb
+,0xa4 ,0xaf ,0x75 ,0xec ,0x7c ,0x90 ,0x3a ,0x8e  ,0x78 ,0xa6 ,0xa5 ,0x4a ,0x99 ,0x79 ,0x51 ,0x20
+,0x60 ,0x67 ,0x9a ,0xc8 ,0x96 ,0x03 ,0xa1 ,0x98  ,0xfc ,0x88 ,0x24 ,0x50 ,0xaf ,0xb7 ,0x30 ,0xb7
+,0x68 ,0x8a ,0x83 ,0xbc ,0x62 ,0xff ,0x93 ,0x70  ,0xc7 ,0x72 ,0xf3 ,0x95 ,0x48 ,0xf1 ,0x9c ,0x5e
+,0x1a ,0x66 ,0x2e ,0xa1 ,0x1d ,0x4a ,0xf7 ,0x9d  ,0x04 ,0x52 ,0xdd ,0x19 ,0xfe ,0x1e ,0x4e ,0x2d
+,0x9b ,0x9e ,0x6f ,0x7f ,0x0b ,0x93 ,0x0b ,0x3b  ,0x08 ,0x81 ,0x68 ,0x9b ,0x0d ,0x45 ,0xf7 ,0xd6
+,0x75 ,0xf7 ,0xb6 ,0xbf ,0xa9 ,0x63 ,0x24 ,0xab  ,0x92 ,0x38 ,0x3a ,0xac ,0x04 ,0x69 ,0x14 ,0x7f
+,0x02 ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30  ,0x51 ,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e
+,0x04 ,0x16 ,0x04 ,0x14 ,0x89 ,0x84 ,0xb5 ,0xcf  ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d ,0xfe
+,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc ,0xe5  ,0x30 ,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04
+,0x18 ,0x30 ,0x16 ,0x80 ,0x14 ,0x89 ,0x84 ,0xb5  ,0xcf ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d
+,0xfe ,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc  ,0xe5 ,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13
+,0x01 ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01  ,0x01 ,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05  ,0x00 ,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x37 ,0xba
+,0x93 ,0xe4 ,0x7e ,0xcd ,0xb2 ,0xa4 ,0xe2 ,0x75  ,0x37 ,0x53 ,0xbc ,0x43 ,0x47 ,0xc9 ,0x94 ,0x51
+,0xa9 ,0x14 ,0x28 ,0x0a ,0xa6 ,0xa1 ,0x90 ,0x0a  ,0xbc ,0x50 ,0x67 ,0x85 ,0x47 ,0xb7 ,0xfc ,0xe3
+,0xd5 ,0x45 ,0xde ,0x89 ,0x99 ,0x46 ,0xba ,0xff  ,0x32 ,0x45 ,0x70 ,0x22 ,0x84 ,0x9e ,0x35 ,0x9c
+,0x0a ,0xea ,0x63 ,0xf5 ,0xc7 ,0x7c ,0xe0 ,0xc1  ,0x9f ,0xb1 ,0xb6 ,0xe0 ,0xc1 ,0x1c ,0xb1 ,0xba
+,0xeb ,0x6d ,0x53 ,0xde ,0xb2 ,0xf9 ,0xf8 ,0x4a  ,0x2c ,0x48 ,0xf4 ,0x12 ,0xcb ,0x26 ,0x3c ,0xe9
+,0x1c ,0xb1 ,0xd3 ,0x36 ,0x48 ,0xa4 ,0xec ,0x24  ,0x35 ,0xf3 ,0x47 ,0xa9 ,0xf7 ,0xe1 ,0xfb ,0x38
+,0xf0 ,0x23 ,0x46 ,0x02 ,0xf5 ,0x76 ,0xd1 ,0x39  ,0xf9 ,0x58 ,0x50 ,0x5c ,0xe9 ,0x39 ,0xa8 ,0x97
+,0x41 ,0x66 ,0xa0 ,0x8a ,0xb2 ,0xd9 ,0x83 ,0x2d  ,0xed ,0xb0 ,0x49 ,0x2b ,0x6a ,0xc4 ,0xd8 ,0x37
+,0xc0 ,0x6f ,0x51 ,0xab ,0x46 ,0x26 ,0x0f ,0x90  ,0x2b ,0x63 ,0xc2 ,0x87 ,0x75 ,0xaa ,0x47 ,0xbc
+,0xbe ,0x9d ,0x54 ,0x17 ,0x54 ,0xa0 ,0x7c ,0x1b  ,0x58 ,0x82 ,0x3f ,0x44 ,0x0b ,0xc1 ,0xa6 ,0xcc
+,0xe2 ,0x53 ,0xde ,0x6e ,0xf7 ,0x52 ,0x0d ,0x83  ,0xb7 ,0x03 ,0xfd ,0xed ,0x4c ,0xc3 ,0x76 ,0xe6
+,0x14 ,0xb9 ,0xc9 ,0x45 ,0xc0 ,0x40 ,0x45 ,0x4a  ,0x70 ,0x40 ,0xe6 ,0x1a ,0x10 ,0x76 ,0x0c ,0xab
+,0x2b ,0x9e ,0xe9 ,0xfd ,0x29 ,0xcb ,0xf8 ,0xce  ,0x11 ,0xf7 ,0x27 ,0x43 ,0xbb ,0xcd ,0xba ,0x22
+,0x5b ,0x61 ,0x5f ,0x63 ,0x16 ,0xb3 ,0x2b ,0x83  ,0x75 ,0x98 ,0x2e ,0xca ,0x0a ,0x9e ,0x8c ,0x5a
+,0xd5 ,0x77 ,0xb5 ,0xa2 ,0x74 ,0xeb ,0x94 ,0x4f  ,0x8f ,0xf6 ,0xc3 ,0x30 ,0x9c ,0xf4 ,0x6e ,0x9b
+,0x5d ,0xd7 ,0x0f ,0x43 ,0x16 ,0xba ,0x5e ,0xa3  ,0xe3 ,0x8b ,0x8f ,0x74 ,0x27 ,0xaf ,0x31 ,0x82
+,0x01 ,0xb1 ,0x30 ,0x82 ,0x01 ,0xad ,0x02 ,0x01  ,0x01 ,0x30 ,0x81 ,0x85 ,0x30 ,0x78 ,0x31 ,0x0b
+,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13  ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06
+,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65  ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06
+,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75  ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a
+,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49  ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03
+,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30  ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61  ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69
+,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x02 ,0x09  ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20 ,0x41 ,0x00 ,0xa8
+,0xeb ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48  ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 ,0x01 ,0x05 ,0x00
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x04
+,0x82 ,0x01 ,0x00 ,0x3d ,0x69 ,0xc6 ,0x7f ,0x96  ,0xd3 ,0x00 ,0x22 ,0x16 ,0x28 ,0x56 ,0xd0 ,0x56
+,0x8d ,0xfe ,0xd2 ,0xed ,0xa0 ,0x36 ,0x05 ,0xb5  ,0xac ,0xd6 ,0xf6 ,0x45 ,0x5a ,0x40 ,0x47 ,0xfb
+,0x47 ,0xc2 ,0x71 ,0xaa ,0x5d ,0xc8 ,0x52 ,0xcf  ,0x46 ,0x44 ,0xfe ,0x0e ,0x64 ,0x82 ,0xda ,0x3a
+,0x23 ,0xaf ,0x79 ,0x90 ,0x2b ,0xcc ,0x3a ,0x66  ,0x29 ,0x8e ,0x78 ,0x0b ,0xdc ,0xdc ,0x06 ,0xa2
+,0xd4 ,0x87 ,0x19 ,0x7a ,0xae ,0x60 ,0xba ,0xaa  ,0xa1 ,0xca ,0x34 ,0x4f ,0x1c ,0x84 ,0xf6 ,0x26
+,0xb7 ,0xc1 ,0xe5 ,0xf4 ,0x3d ,0x3c ,0x08 ,0x42  ,0x14 ,0x8a ,0xec ,0xeb ,0x02 ,0x27 ,0x83 ,0x06
+,0x09 ,0x1c ,0xaa ,0x19 ,0x26 ,0xa5 ,0x47 ,0xc9  ,0xaa ,0x28 ,0x08 ,0xea ,0xb2 ,0x0f ,0x9a ,0x2f
+,0x06 ,0x8f ,0x68 ,0xea ,0xbe ,0x39 ,0x0d ,0x37  ,0x8c ,0xc5 ,0x42 ,0xc4 ,0xe2 ,0xba ,0x7e ,0xf1
+,0xf6 ,0x76 ,0x28 ,0x8c ,0xf3 ,0x21 ,0x97 ,0x02  ,0xf4 ,0x94 ,0xb6 ,0xc3 ,0xa8 ,0xe2 ,0x2d ,0x4b
+,0x30 ,0x05 ,0x6c ,0xd5 ,0x91 ,0xb5 ,0xaa ,0xd2  ,0xff ,0x06 ,0xd9 ,0xde ,0xa9 ,0x04 ,0xad ,0xd5
+,0x02 ,0x83 ,0x12 ,0x5a ,0x0b ,0x8f ,0xf7 ,0xfe  ,0x75 ,0x86 ,0xd0 ,0xc0 ,0xb2 ,0xd6 ,0x7d ,0xb9
+,0xa4 ,0xfa ,0x0a ,0xf0 ,0xd3 ,0x28 ,0xe7 ,0x04  ,0x41 ,0x98 ,0x49 ,0x96 ,0xa5 ,0x24 ,0xd0 ,0xc5
+,0x12 ,0xa0 ,0xec ,0xe6 ,0x68 ,0xd7 ,0x71 ,0x52  ,0x7b ,0x09 ,0x06 ,0xe6 ,0xbd ,0xa5 ,0xb4 ,0xc5
+,0x1c ,0x27 ,0x3a ,0xeb ,0xa3 ,0x0c ,0x9b ,0x20  ,0x65 ,0x1c ,0x31 ,0x62 ,0xcf ,0x53 ,0x7f ,0xec
+,0xa6 ,0x0a ,0x40 ,0xd7 ,0xab ,0xcf ,0x3c ,0x30  ,0xf3 ,0x36 ,0x03 ,0x53 ,0xff ,0x81 ,0x5d ,0xcd
+,0x22 ,0x66 ,0xec ,0x92 ,0x63 ,0xd8 ,0x57 ,0x17  ,0xda ,0x58 ,0xf2 ,0x53 ,0x43 ,0x5e ,0x10 ,0x19
+,0x53 ,0x6e ,0xfb ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4  ,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 ,0x5c
+,0x2b ,0xf0 ,0x72 ,0xf8 ,0x03 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0xdc ,0x03 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30
+,0x82 ,0x03 ,0xc8 ,0x30 ,0x82 ,0x02 ,0xb0 ,0xa0  ,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 ,0xb0
+,0x40 ,0xaf ,0x25 ,0xfd ,0xbc ,0xd9 ,0xb1 ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x79  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30  ,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05
+,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30  ,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06
+,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c  ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c
+,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a  ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c
+,0x54 ,0x43 ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03  ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b
+,0x31 ,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86  ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16
+,0x10 ,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69  ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f
+,0x6d ,0x30 ,0x1e ,0x17 ,0x0d ,0x32 ,0x30 ,0x30  ,0x39 ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35
+,0x35 ,0x5a ,0x17 ,0x0d ,0x32 ,0x31 ,0x30 ,0x39  ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35 ,0x35
+,0x5a ,0x30 ,0x79 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06  ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02 ,0x55 ,0x53
+,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03 ,0x55 ,0x04  ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78 ,0x61 ,0x73
+,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03 ,0x55 ,0x04  ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73 ,0x74 ,0x69
+,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55  ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42 ,0x4d ,0x31
+,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b  ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31 ,0x0c ,0x30
+,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03  ,0x4b ,0x45 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d ,0x06
+,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01  ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79 ,0x6e
+,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d  ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x82 ,0x01 ,0x22
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03
+,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 ,0x0a  ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xc1 ,0xeb ,0xb8
+,0xf7 ,0x3f ,0x53 ,0xb6 ,0xa1 ,0x8a ,0x3f ,0xca  ,0x99 ,0x56 ,0xbc ,0x3b ,0xdf ,0xbf ,0x70 ,0x0a
+,0x78 ,0x5b ,0x06 ,0xc1 ,0xeb ,0xbe ,0x4e ,0xd7  ,0xd9 ,0xe9 ,0x57 ,0x1f ,0xc4 ,0xf4 ,0xe5 ,0x78
+,0xb6 ,0x14 ,0xda ,0x87 ,0x43 ,0x31 ,0xad ,0x6d  ,0x9f ,0xae ,0x6c ,0x44 ,0xe3 ,0x12 ,0xe4 ,0xf1
+,0xa4 ,0x81 ,0xf8 ,0x7d ,0x09 ,0x0e ,0xa6 ,0x6a  ,0xe1 ,0xf7 ,0xcb ,0xe9 ,0x63 ,0xd6 ,0xd6 ,0x58
+,0x28 ,0x10 ,0xf2 ,0xb9 ,0xcf ,0xd7 ,0x85 ,0x95  ,0x0b ,0x24 ,0x51 ,0xe8 ,0x5a ,0x08 ,0x74 ,0xbc
+,0x42 ,0x9b ,0xd6 ,0x84 ,0xcd ,0x5e ,0xe5 ,0x61  ,0x83 ,0x7c ,0x5f ,0x0e ,0x3a ,0x9d ,0x3d ,0x6d
+,0x84 ,0xe2 ,0xc0 ,0x26 ,0x64 ,0x35 ,0x80 ,0x6c  ,0xb1 ,0x37 ,0x72 ,0x38 ,0x00 ,0xa0 ,0x90 ,0x51
+,0xd3 ,0x64 ,0x01 ,0x62 ,0x70 ,0xf8 ,0xa4 ,0xe4  ,0xc8 ,0x87 ,0x4c ,0xe1 ,0x76 ,0xd7 ,0xe6 ,0xbf
+,0xed ,0x08 ,0xba ,0xde ,0x42 ,0x90 ,0x00 ,0xb7  ,0x19 ,0x81 ,0x91 ,0xd0 ,0x18 ,0xcb ,0x03 ,0xe6
+,0xf5 ,0xf9 ,0x31 ,0x2b ,0x56 ,0xc3 ,0x21 ,0x39  ,0x4d ,0x9a ,0x63 ,0x0a ,0xb7 ,0x1c ,0xa9 ,0xdc
+,0xce ,0xa9 ,0xc4 ,0xe0 ,0x0a ,0xa4 ,0x53 ,0x8f  ,0x78 ,0xd1 ,0xc0 ,0x3f ,0xc2 ,0x8e ,0x8a ,0x37
+,0x52 ,0x42 ,0x60 ,0x97 ,0xb3 ,0x53 ,0xaa ,0xa4  ,0x4f ,0x98 ,0x7e ,0xa5 ,0x2a ,0xe1 ,0x52 ,0xfa
+,0x9f ,0xc1 ,0x32 ,0xf7 ,0x15 ,0x12 ,0x62 ,0x6b  ,0x5a ,0x4d ,0xfe ,0x22 ,0x8d ,0x88 ,0x87 ,0xfd
+,0x83 ,0x2f ,0xaa ,0x1a ,0xb8 ,0xad ,0x3d ,0x4f  ,0xdc ,0xe0 ,0x39 ,0x8b ,0x88 ,0xed ,0xc6 ,0xf5
+,0xee ,0x32 ,0xea ,0xd6 ,0x25 ,0xcf ,0x91 ,0x66  ,0x77 ,0x4c ,0xa1 ,0x0c ,0x6a ,0x7b ,0x6e ,0xb2
+,0x72 ,0xa8 ,0xf4 ,0xc7 ,0xeb ,0xa4 ,0x91 ,0xda  ,0x5d ,0x14 ,0xf9 ,0x9e ,0xe9 ,0x02 ,0x03 ,0x01
+,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 ,0x1d  ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04
+,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25 ,0xcf  ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad ,0xb1
+,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x1f ,0x06  ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16
+,0x80 ,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25  ,0xcf ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad
+,0xb1 ,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x0f  ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff
+,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 ,0x82  ,0x01 ,0x01 ,0x00 ,0x7a ,0xc8 ,0xc9 ,0x0e ,0x45
+,0x1c ,0xa6 ,0xce ,0xd5 ,0xdb ,0x9c ,0x5d ,0x95  ,0x8b ,0x8b ,0xbc ,0x90 ,0xca ,0x98 ,0xd1 ,0xe9
+,0x4b ,0xfb ,0xf3 ,0xef ,0x48 ,0xb0 ,0x9e ,0x0d  ,0x95 ,0x0f ,0x3a ,0xa0 ,0xb6 ,0x93 ,0x9f ,0xc6
+,0xf7 ,0xca ,0xca ,0xf1 ,0x04 ,0x90 ,0x4d ,0x6b  ,0x57 ,0xc1 ,0xe5 ,0x85 ,0xfd ,0x87 ,0x09 ,0xe5
+,0xaf ,0x98 ,0x89 ,0x32 ,0x27 ,0x35 ,0x85 ,0xcf  ,0xe1 ,0x1f ,0xaf ,0xc0 ,0x8c ,0x3f ,0x2a ,0xba
+,0xa4 ,0xfc ,0xaa ,0x40 ,0x02 ,0x7c ,0x57 ,0xd9  ,0x73 ,0xc6 ,0xc0 ,0x59 ,0xcb ,0x47 ,0x71 ,0x07
+,0x1a ,0xfe ,0x46 ,0xb1 ,0x81 ,0x14 ,0x6b ,0xa5  ,0xeb ,0xe7 ,0x9c ,0x2b ,0x87 ,0xee ,0x72 ,0x96
+,0xe0 ,0xb0 ,0x11 ,0x86 ,0x33 ,0x95 ,0xdf ,0x6e  ,0x9c ,0x3f ,0x0f ,0xc1 ,0x46 ,0x8c ,0x53 ,0x12
+,0xf1 ,0xd9 ,0xa8 ,0xee ,0x04 ,0xc5 ,0x71 ,0x52  ,0x22 ,0x13 ,0x0f ,0x91 ,0x0c ,0x73 ,0xca ,0x34
+,0xb1 ,0x36 ,0x5f ,0x8c ,0x2e ,0x0f ,0x3a ,0x04  ,0x42 ,0xfe ,0x45 ,0x82 ,0x29 ,0x56 ,0x5e ,0xe5
+,0x4c ,0xeb ,0x4b ,0xa6 ,0xe5 ,0xe0 ,0x1d ,0x74  ,0xc0 ,0x5a ,0x2f ,0x42 ,0xa5 ,0xf2 ,0x65 ,0xd5
+,0x4d ,0x3b ,0x22 ,0xd2 ,0x96 ,0x42 ,0xcf ,0xbd  ,0xd7 ,0x8b ,0x37 ,0x7a ,0xb6 ,0xd9 ,0xd4 ,0xd7
+,0x45 ,0x47 ,0x3b ,0x3c ,0xb3 ,0xd9 ,0x29 ,0x69  ,0x91 ,0x7d ,0x4c ,0x06 ,0xad ,0x6c ,0xea ,0x62
+,0xf1 ,0xf7 ,0xec ,0x67 ,0xae ,0xd5 ,0x43 ,0xd0  ,0xab ,0xb8 ,0xbf ,0xa4 ,0x28 ,0xd4 ,0x75 ,0xd2
+,0x3f ,0x53 ,0x5d ,0xa8 ,0x09 ,0x46 ,0x89 ,0x7f  ,0x84 ,0x36 ,0xad ,0x78 ,0x41 ,0x03 ,0xf4 ,0xc4
+,0x43 ,0x43 ,0xdc ,0x52 ,0xc6 ,0xff ,0xab ,0xd6  ,0x8c ,0x7f ,0xc0 ,0xab ,0x67 ,0x5b ,0x0b ,0xa9
+,0x6a ,0xd2 ,0x85 ,0x71 ,0x9f ,0xc2 ,0xf1 ,0x96  ,0xd2 ,0x41 ,0xb0 ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4
+,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 ,0x5c  ,0x2b ,0xf0 ,0x72 ,0xfa ,0x03 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0xde ,0x03 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30  ,0x82 ,0x03 ,0xca ,0x30 ,0x82 ,0x02 ,0xb2 ,0xa0
+,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 ,0xee  ,0x9a ,0xcd ,0x6d ,0x46 ,0xac ,0xda ,0xd7 ,0x30
+,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7  ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x7a
+,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04  ,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30
+,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05  ,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30
+,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06  ,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c
+,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c  ,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a
+,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c  ,0x54 ,0x43 ,0x31 ,0x0d ,0x30 ,0x0b ,0x06 ,0x03
+,0x55 ,0x04 ,0x03 ,0x0c ,0x04 ,0x4b ,0x45 ,0x4b  ,0x31 ,0x31 ,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a
+,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01  ,0x16 ,0x10 ,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61
+,0x69 ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63  ,0x6f ,0x6d ,0x30 ,0x1e ,0x17 ,0x0d ,0x32 ,0x30
+,0x30 ,0x39 ,0x31 ,0x34 ,0x31 ,0x38 ,0x34 ,0x38  ,0x30 ,0x39 ,0x5a ,0x17 ,0x0d ,0x32 ,0x31 ,0x30
+,0x39 ,0x31 ,0x34 ,0x31 ,0x38 ,0x34 ,0x38 ,0x30  ,0x39 ,0x5a ,0x30 ,0x7a ,0x31 ,0x0b ,0x30 ,0x09
+,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02 ,0x55  ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03 ,0x55
+,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78 ,0x61  ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03 ,0x55
+,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73 ,0x74  ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03
+,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42 ,0x4d  ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04
+,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31 ,0x0d  ,0x30 ,0x0b ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c
+,0x04 ,0x4b ,0x45 ,0x4b ,0x31 ,0x31 ,0x1f ,0x30  ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61  ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69
+,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x82  ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05  ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82
+,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xad  ,0xd0 ,0x43 ,0x6b ,0x3c ,0xa2 ,0xbd ,0xb8 ,0x30
+,0x26 ,0xa9 ,0x2a ,0xa7 ,0x63 ,0xb6 ,0x59 ,0x27  ,0xfb ,0x28 ,0xd5 ,0x5a ,0x3c ,0x2f ,0x8b ,0x8f
+,0x71 ,0xda ,0x2a ,0x15 ,0x30 ,0x3c ,0x07 ,0xd5  ,0x6c ,0x4e ,0xe4 ,0xff ,0x30 ,0x24 ,0x6c ,0x72
+,0x26 ,0xf6 ,0x5b ,0x22 ,0xea ,0x12 ,0x96 ,0xf8  ,0x20 ,0x71 ,0xb5 ,0xa8 ,0x9e ,0xdc ,0xd8 ,0xbf
+,0x5c ,0xa3 ,0xd6 ,0x5a ,0xa6 ,0x17 ,0xe3 ,0x91  ,0x92 ,0x31 ,0x25 ,0x1f ,0x36 ,0x76 ,0x21 ,0x15
+,0x04 ,0x4c ,0xdd ,0x77 ,0x09 ,0xd6 ,0xe2 ,0x71  ,0x2e ,0x85 ,0x43 ,0x4d ,0x5e ,0x37 ,0x30 ,0x01
+,0x03 ,0x6b ,0x61 ,0xce ,0x08 ,0xd8 ,0xa9 ,0xaa  ,0x6b ,0x24 ,0x41 ,0x64 ,0xd3 ,0x6a ,0x8a ,0xb7
+,0x4f ,0xf4 ,0xaf ,0x92 ,0x6e ,0x39 ,0x35 ,0x6a  ,0x5c ,0xeb ,0xbb ,0x91 ,0xff ,0xa3 ,0x28 ,0xee
+,0xde ,0x13 ,0xfb ,0x9d ,0xae ,0x6e ,0x00 ,0xb5  ,0x32 ,0xc8 ,0xcf ,0x17 ,0x9a ,0xef ,0x6b ,0xcd
+,0x4c ,0x23 ,0xf7 ,0xc6 ,0x00 ,0x87 ,0x66 ,0xac  ,0xb6 ,0x41 ,0x07 ,0x97 ,0x14 ,0x9e ,0x48 ,0x1f
+,0x74 ,0xde ,0x05 ,0xe4 ,0x46 ,0xc3 ,0xb9 ,0xc3  ,0x72 ,0xeb ,0xca ,0x43 ,0x08 ,0x41 ,0x1f ,0x16
+,0xa8 ,0x3e ,0x5b ,0xd3 ,0x22 ,0xa7 ,0x7f ,0xdf  ,0x57 ,0xc0 ,0x7d ,0x52 ,0x2a ,0xfb ,0xcb ,0xbe
+,0x78 ,0xfa ,0x8f ,0x71 ,0x08 ,0x7e ,0x41 ,0x8a  ,0x0e ,0xe1 ,0x6a ,0x2f ,0x94 ,0xe3 ,0x46 ,0xbc
+,0x1b ,0xe9 ,0xd2 ,0x9c ,0x86 ,0x7a ,0xf8 ,0xe6  ,0x0d ,0x27 ,0x53 ,0x94 ,0x08 ,0x21 ,0x72 ,0xb0
+,0x33 ,0x8f ,0xcf ,0x40 ,0xc9 ,0x5e ,0x26 ,0x36  ,0xc2 ,0xcd ,0x41 ,0x7c ,0x58 ,0x25 ,0x7c ,0xed
+,0xf2 ,0x73 ,0x34 ,0xb8 ,0xf6 ,0x16 ,0x75 ,0x80  ,0xe7 ,0x63 ,0x91 ,0xe5 ,0x1c ,0x24 ,0x15 ,0xf3
+,0xf5 ,0xca ,0x38 ,0x28 ,0x1e ,0xa5 ,0x0d ,0x02  ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51
+,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04  ,0x16 ,0x04 ,0x14 ,0xce ,0x7d ,0xc6 ,0x2c ,0x19
+,0x32 ,0xfe ,0x51 ,0x4a ,0x06 ,0x17 ,0x4b ,0xe7  ,0x8c ,0x2e ,0x30 ,0x35 ,0xf2 ,0xfc ,0xab ,0x30
+,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18  ,0x30 ,0x16 ,0x80 ,0x14 ,0xce ,0x7d ,0xc6 ,0x2c
+,0x19 ,0x32 ,0xfe ,0x51 ,0x4a ,0x06 ,0x17 ,0x4b  ,0xe7 ,0x8c ,0x2e ,0x30 ,0x35 ,0xf2 ,0xfc ,0xab
+,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01  ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01
+,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48  ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00
+,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x9e ,0x63 ,0xd0  ,0xd8 ,0x70 ,0x78 ,0x42 ,0x2d ,0xc9 ,0xdb ,0xc9
+,0x8d ,0x47 ,0xda ,0x72 ,0x7b ,0xa9 ,0xb2 ,0x26  ,0x67 ,0x98 ,0xb6 ,0x17 ,0xe6 ,0xf3 ,0x0f ,0xd8
+,0xc9 ,0x10 ,0x95 ,0xb0 ,0x99 ,0xee ,0x76 ,0x74  ,0x24 ,0x7f ,0xce ,0x49 ,0x28 ,0x46 ,0xfd ,0x66
+,0x9a ,0x3e ,0x66 ,0x0d ,0xed ,0x6e ,0x54 ,0xc7  ,0xb9 ,0x64 ,0xc3 ,0xb3 ,0xa6 ,0xb8 ,0xb2 ,0x71
+,0xa5 ,0x00 ,0x33 ,0xf4 ,0xed ,0x44 ,0x38 ,0xa1  ,0x28 ,0xcc ,0x88 ,0xe7 ,0xc8 ,0x53 ,0x47 ,0x90
+,0xc2 ,0x37 ,0xe7 ,0xbb ,0x37 ,0x61 ,0x36 ,0x96  ,0x96 ,0x96 ,0x3a ,0xe9 ,0x63 ,0xfc ,0xc2 ,0x98
+,0xc4 ,0x75 ,0x62 ,0x60 ,0xc5 ,0x19 ,0x98 ,0xf0  ,0xd3 ,0x03 ,0xc2 ,0x45 ,0x06 ,0x54 ,0xa3 ,0x75
+,0x29 ,0x92 ,0x91 ,0x1c ,0xef ,0x42 ,0xba ,0x9f  ,0x65 ,0x87 ,0xb0 ,0x9a ,0xbb ,0xbf ,0x09 ,0xde
+,0xe3 ,0x28 ,0xce ,0xb3 ,0x72 ,0xb0 ,0x64 ,0xec  ,0xf3 ,0x3e ,0x64 ,0xe6 ,0x62 ,0x40 ,0xbd ,0x6b
+,0x16 ,0xd3 ,0xac ,0x94 ,0x2a ,0x15 ,0x27 ,0xa6  ,0x54 ,0x31 ,0xa9 ,0x05 ,0xae ,0xb5 ,0x72 ,0xe5
+,0x8e ,0x0e ,0x93 ,0xe9 ,0xd6 ,0x67 ,0xd1 ,0xba  ,0x86 ,0xa1 ,0x2c ,0x84 ,0x43 ,0xa6 ,0x8b ,0x43
+,0x6f ,0x5f ,0x2c ,0x6c ,0xcc ,0x91 ,0x60 ,0x29  ,0x45 ,0xdf ,0x95 ,0x4e ,0x82 ,0xee ,0xea ,0x1e
+,0x5d ,0x34 ,0x5a ,0xc0 ,0x65 ,0x07 ,0x85 ,0x00  ,0x4c ,0x4c ,0x42 ,0x8f ,0x28 ,0x3a ,0x95 ,0xfb
+,0x96 ,0xa0 ,0x1c ,0x97 ,0xfc ,0x42 ,0x78 ,0x11  ,0x77 ,0xdf ,0xdf ,0x6c ,0xdc ,0x61 ,0xaf ,0x2a
+,0x00 ,0x93 ,0xa6 ,0xca ,0x81 ,0xb4 ,0x9f ,0x3e  ,0x9b ,0x61 ,0x89 ,0xdb ,0x36 ,0x1d ,0x99 ,0x4e
+,0xbc ,0x50 ,0xcb ,0x55 ,0xbc ,0xe7 ,0x34 ,0x70  ,0xf7 ,0x31 ,0x3a ,0xf2 ,0xca ,0xb2 ,0x83 ,0x1a
+,0xb4 ,0xe7 ,0x20 ,0x2d};
+
+unsigned int multipletrimmedKEK_auth_len =  3540;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index a769863b..3cdc6ef2 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -17,6 +17,7 @@
 #include "./data/dbsigneddata.h"
 #include "./data/OldTSKEK.h"
 #include "./data/multipleKEK.h"
+#include "./data/multipletrimmedKEK.h"
 #include "./data/multipleDB.h"
 #include "./data/multiplePK.h"
 #include "./data/dbx.h"
@@ -336,6 +337,21 @@ int run_test()
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
 
+	/* Add multiple KEK ESLs with w one missing 5 bytes */
+	printf("Add multiple KEK with one trimmed\n");
+	tmp = new_secvar("KEK", 4, multipletrimmedKEK_auth, multipletrimmedKEK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("KEK", 4, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
+
 	/* Add multiple KEK ESLs, one of them should sign the db. */
 	printf("Add multiple KEK\n");
 	tmp = new_secvar("KEK", 4, multipleKEK_auth, multipleKEK_auth_len, 0);

From patchwork Tue Jul 20 16:05:00 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1507670
Return-Path: 
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=pikSZOnI;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GTl370zS0z9sWd
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:11 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GTl366Y5Mz3bVT
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:10 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=pikSZOnI;
	dkim-atps=neutral
X-Original-To: skiboot-stable@lists.ozlabs.org
Delivered-To: skiboot-stable@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::f31;
 helo=mail-qv1-xf31.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=pikSZOnI; dkim-atps=neutral
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com
 [IPv6:2607:f8b0:4864:20::f31])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GTk7x0bKDz2xKM
 for <skiboot-stable@lists.ozlabs.org>; Wed, 21 Jul 2021 02:05:16 +1000 (AEST)
Received: by mail-qv1-xf31.google.com with SMTP id f3so10335662qvm.2
 for <skiboot-stable@lists.ozlabs.org>; Tue, 20 Jul 2021 09:05:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=9gdTKQuD3xL5mNJxxvDFe/SjzwmrdbkZUFyPP7tAbZI=;
 b=pikSZOnIRpz9RRt5ph4yEyc/j8yIlLF942Hl426/1pHCKaRJ5FXWVVuyH3VahCOBmY
 NA60f1dWlb+ayM4VkCajb4J5TQyikvkwcEB15Bj/qdImeLUi0A+SGFEC3E5asj1gy8WY
 hY6ZzX/B5HH+N6SzpGYBoM/++dgGGs3cBTeFWf3HRnr2fvGQZFuyAhHz2Kj71MYG5aKt
 yG/bEMF600BWhTqCNBZBEXGS6Vx0vKdwv281WSVOHZZOiq9DsnAwIZLKgbP+QUWI/+eo
 Kg/Uhj9opeg1StPNPdBvEZF11cpZ1gAk/TcnuZcIt3q9DnhuF3Ry8E8m1Gj1Lg5ILm2p
 otCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=9gdTKQuD3xL5mNJxxvDFe/SjzwmrdbkZUFyPP7tAbZI=;
 b=mJp0oSM5UztYi53ow+Bt7C+XwwdZMZnBW/TDxULHmsELFnw1ZbHNa2oUpVAIt4qsRt
 +l4LNys2n3A2G8kPWpXB84NeRHS4UPE4iSMldJ9tCrmGhVdMkT7HRFEWb78I/kCyijHd
 LY5mxWMbiQUHRcJV70sRUPGqn3h0kAgohBVfyniQp24Aa3IwwEnSvvQyCKWzrB/O3SyZ
 ZsGvFmbFSiUuhUnQ6ePTEPft3zIImHPtyifjriQDvPkVYhjtUnaft5FKJt9JWbPFmdxr
 tInel++mz015b1o4kk6pWLdpSqYSf2swiETm0dqgjJHCj9P7gQy1SIhWTLelJUhGc8LW
 C0zg==
X-Gm-Message-State: AOAM531MZ3B2PxElNqbTfDsCTTVS8d0qqXfHPOGGqpsgHOYwav/J9MAy
 quiURRSKo4pfAuX7mBo7Trs5A81C2CC/ng==
X-Google-Smtp-Source: 
 ABdhPJxu+xXtDrLAqMbGCk6GPduaHYJBOo7h0WRVwqbyX2C0ZV38RU4VCVU9E+q6GTc/G4gc+SkAKw==
X-Received: by 2002:a0c:d644:: with SMTP id e4mr30698101qvj.45.1626797113840;
 Tue, 20 Jul 2021 09:05:13 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:4391:e426:6e2:788b])
 by smtp.gmail.com with ESMTPSA id 67sm7964727qtf.83.2021.07.20.09.05.12
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 20 Jul 2021 09:05:13 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot-stable@lists.ozlabs.org
Date: Tue, 20 Jul 2021 12:05:00 -0400
Message-Id: <20210720160501.9850-3-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210720160501.9850-1-nick.child@ibm.com>
References: <20210720160501.9850-1-nick.child@ibm.com>
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 21 Jul 2021 02:46:07 +1000
Subject: [Skiboot-stable] [PATCH v1 3/4] secvar: return error if
 validate_esl has extra data
X-BeenThere: skiboot-stable@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Patches, review, and discussion for stable releases of skiboot"
 <skiboot-stable.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot-stable/>
List-Post: <mailto:skiboot-stable@lists.ozlabs.org>
List-Help: <mailto:skiboot-stable-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, Nick Child <nnac123@gmail.com>, nayna@linux.ibm.com,
 dja@axtens.net
Errors-To: 
 skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot-stable"
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Nick Child <nnac123@gmail.com>

commit ID: 355176a9405c83320748f804e8655e6a8ee2324f from upstream.

Currently, in `validate_esl_list`, the return code is initialized to zero
(our success value). While looping though the ESL's in the submitted ESL
chain, the loop will break if there is not enough data to meet minimum ESL
requirements. This condition was not setting a return code, meaning that the
successful return code can pass to the end of the function if there is extra
data at the end of the ESL. As a consequence, any properly signed update can
successfully commit any data (as long as it is less than the min size of an
ESL) to the secvars.

This commit will return an error if the described condition is met. This
means all data in the appended ESL of an auth file must be accounted for. No
extra bytes can be added to the end since, on success, this data will become
the updated secvar.

Additionally, a test case has been added to ensure that this commit
addresses the issue correctly.

Fixes: 87562bc5c1a6 ("secvar/backend: add edk2 derived key updates processing")
Signed-off-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c  |  5 ++++-
 libstb/secvar/test/secvar-test-edk2-compat.c | 15 +++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 81ddb9a6..ecba3c2b 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -266,8 +266,11 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 
 	while (eslvarsize > 0) {
 		prlog(PR_DEBUG, "esl var size is %d offset is %lu\n", eslvarsize, size - eslvarsize);
-		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
+		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST)) {
+			prlog(PR_ERR, "ESL with size %d is too small\n", eslvarsize);
+			rc = OPAL_PARAMETER;
 			break;
+		}
 
 		/* Check Supported ESL Type */
 		list = get_esl_signature_list(esl, eslvarsize);
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 3cdc6ef2..1edce112 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -165,6 +165,21 @@ int run_test()
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(setup_mode);
 
+	/* Add PK with bad ESL. should fail since data is not big enough to be ESL*/
+	printf("Add PK with invalid appended ESL");
+	/* 1014 is length of appended ESL Header and its data */
+	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len - 1014 + sizeof(EFI_SIGNATURE_LIST) - 1, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(setup_mode);
+
+
 	/* Add PK to update and .process(). */
 	printf("Add PK");
 	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);

From patchwork Tue Jul 20 16:05:01 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1507671
Return-Path: 
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=mfMCDQgn;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GTl375YkNz9sWX
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:11 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GTl3747cSz3bYC
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Jul 2021 02:46:11 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=mfMCDQgn;
	dkim-atps=neutral
X-Original-To: skiboot-stable@lists.ozlabs.org
Delivered-To: skiboot-stable@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::82d;
 helo=mail-qt1-x82d.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=mfMCDQgn; dkim-atps=neutral
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com
 [IPv6:2607:f8b0:4864:20::82d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GTk7y36q3z2xKM
 for <skiboot-stable@lists.ozlabs.org>; Wed, 21 Jul 2021 02:05:18 +1000 (AEST)
Received: by mail-qt1-x82d.google.com with SMTP id j7so2765715qtj.6
 for <skiboot-stable@lists.ozlabs.org>; Tue, 20 Jul 2021 09:05:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=ENAu/nvs0P1crgqrnEDCvj2R8w3U268xkKxqyXsC0To=;
 b=mfMCDQgnbnCUNSfmpjd1znzY5BRzmT/HbRusuC1XPGxEGXwjdBRObG3fBCHjqbdJDq
 Zt7he7btYUDBxAZC2VaAuupuMdcEKp6QgTgLMcK9kzT+Mdm8SmTgNy+wbgZ04sbdwCce
 Nk6x3UXza3Y1g1xx4uyF1bowKLPqKzoTzS78jDpJ8Ktmx88vmBz3olYQQaBW7cSqLq24
 mDuPgM5JcNq0eK9W7vf8+cWTHCW5PfsBg/84bzANQBirVoYiYwy//Je4YlN9UM20fugj
 h22r0vOVnvlF+O5mV0vkZoPhY1JVXA8hILc9b+iUuE70UcjYTEAkEMjug1ybWbMff7gL
 7lDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=ENAu/nvs0P1crgqrnEDCvj2R8w3U268xkKxqyXsC0To=;
 b=KjV6in8sqC1vugPPnYj+2Y5jFRTXop+hTW2RNeEVJltNfPzygsTMgo74Zb0flQRmZG
 4iJWgam7q78THsedPndO13tR1QvrdjXRj4x042O5yWgLjksP4fzpNVQh0mjwvEGDQF53
 nnmffN3+aj9H7QoFZitzmvovA0e992S13IhFJ8Xg6fj4Yh3/HWXLwhCWUVIAGs5Gw4SE
 H1dXDBjKsZzAUJTErohBi3FaBOWHnQ4pwIpgvWw2Z7Yp5HMyZPMI+Z8e9MuJaooeo394
 90u2/Zoo8TOKCBqSF6QnFcHqy/lTKTU4tbwXH8mo5UrxriHC7lTmlh9CNmUJJ3vgJojW
 INIg==
X-Gm-Message-State: AOAM532SWaRy7ZbnBOG4rrZo1fYlStMo1nktAG8OM0uzde1dLtXXO0CF
 NT5iTB9m1Fvmxyx5OkAiTuDgqEVjcqbq2g==
X-Google-Smtp-Source: 
 ABdhPJxP+xkKaeM1JdPS5k4m32hNQiKDq1plrgSTZT91iy0U5clCT4FVXTBi+Sib9L/zEB4sTXYPAQ==
X-Received: by 2002:a05:622a:134d:: with SMTP id
 w13mr26559312qtk.275.1626797114999;
 Tue, 20 Jul 2021 09:05:14 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:4391:e426:6e2:788b])
 by smtp.gmail.com with ESMTPSA id 67sm7964727qtf.83.2021.07.20.09.05.13
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 20 Jul 2021 09:05:14 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot-stable@lists.ozlabs.org
Date: Tue, 20 Jul 2021 12:05:01 -0400
Message-Id: <20210720160501.9850-4-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210720160501.9850-1-nick.child@ibm.com>
References: <20210720160501.9850-1-nick.child@ibm.com>
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 21 Jul 2021 02:46:07 +1000
Subject: [Skiboot-stable] [PATCH v1 4/4] secvar: return error if
 verify_signature runs out of ESLs
X-BeenThere: skiboot-stable@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Patches, review, and discussion for stable releases of skiboot"
 <skiboot-stable.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot-stable/>
List-Post: <mailto:skiboot-stable@lists.ozlabs.org>
List-Help: <mailto:skiboot-stable-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot-stable>,
 <mailto:skiboot-stable-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, Nick Child <nnac123@gmail.com>, nayna@linux.ibm.com,
 dja@axtens.net
Errors-To: 
 skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot-stable"
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Nick Child <nnac123@gmail.com>

commit ID: 56658ad4a0249cdf516e6bc21781cce901965998 from upstream.

Currently, in `verify_signature`, the return code `rc` is initialized
as 0 (our success value). While looping through the ESL's in the given
secvar, the function will break if the remaining data in the secvar is
not enough to contain another ESL. This break from the loop was not
setting a return code, this means that the successful return code
can pass to the end of the function if the first iteration meets
this condition. In other words, if a current secvar has a size that
is less than minimum size for an ESL, than it will approve any update.

In response to this bug, this commit will return an error code if
the described condition is met. Additionally, a test case has been
added to ensure that this unlikely event is handled correctly.

Fixes: 87562bc5c1a6 ("secvar/backend: add edk2 derived key updates processing")
Signed-off-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c  |  5 +++-
 libstb/secvar/test/secvar-test-edk2-compat.c | 25 ++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index ecba3c2b..c0006a5e 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -491,8 +491,11 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 	/* Variable is not empty */
 	while (eslvarsize > 0) {
 		prlog(PR_DEBUG, "esl var size is %d offset is %d\n", eslvarsize, offset);
-		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
+		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST)) {
+			rc = OPAL_INTERNAL_ERROR;
+			prlog(PR_ERR, "ESL data is corrupted\n");
 			break;
+		}
 
 		/* Calculate the size of the ESL */
 		eslsize = get_esl_signature_list_size(avar->data + offset,
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 1edce112..100fda7d 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -89,6 +89,7 @@ int run_test()
 {
 	int rc = -1;
 	struct secvar *tmp;
+	size_t tmp_size;
 	char empty[64] = {0};
 
 	/* The sequence of test cases here is important to ensure that
@@ -213,6 +214,30 @@ int run_test()
 	tmp = find_secvar("db", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 
+	/* Add db, should fail with no KEK and invalid PK size */
+	printf("Add db, corrupt PK");
+	/* Somehow PK gets assigned wrong size */
+	tmp = find_secvar("PK", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	tmp_size = tmp->data_size;
+	tmp->data_size = sizeof(EFI_SIGNATURE_LIST) - 1;
+	tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_INTERNAL_ERROR == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("db", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 == tmp->data_size);
+	/* Restore PK data size */
+	tmp = find_secvar("PK", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	tmp->data_size = tmp_size;
+
 	/* Add trimmed KEK, .process(), should fail. */
 	printf("Add trimmed KEK\n");
 	tmp = new_secvar("KEK", 4, trimmedKEK_auth, trimmedKEK_auth_len, 0);