* New upstream release.debian/15+1533136590.3beb971-1

  - debian/patches/second-stage-path: dropped; the default loader path now
    includes an arch suffix.
  - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
  - debian/copyright: Update upstream source location.
  - debian/control: add a Build-Depends on libelf-dev.
  - Enable arm64 build.
  - debian/patches/fixup_git.patch: don't run git in clean; we're not
    really in a git tree.
  - debian/rules, debian/shim.install: use the upstream install target as
    intended, and move files to the target directory using dh_install.
  - define RELEASE and COMMIT_ID for the snapshot.
  - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
    options: set MAKELEVEL.
  - Define an EFI_ARCH variable, and use that for paths to shim. This
    makes it possible to build a shim for other architectures than amd64.
  - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
    in the "right" final directories, and makes boot.csv for us.
  - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
    at compile-time for MokManager and fallback.
  - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
    and MokManager.

1 files changed, 91 insertions, 102 deletions

diff --git a/Cryptlib/Pk/CryptRsaBasic.c b/Cryptlib/Pk/CryptRsaBasic.c
index e49db51e..ba1bcf0f 100644
--- a/Cryptlib/Pk/CryptRsaBasic.c
+++ b/Cryptlib/Pk/CryptRsaBasic.c
@@ -7,7 +7,7 @@
   3) RsaSetKey

   4) RsaPkcs1Verify

 

-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>

+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -67,14 +67,14 @@ RsaFree (
   This function sets the tag-designated RSA key component into the established

   RSA context from the user-specified non-negative integer (octet string format

   represented in RSA PKCS#1).

-  If BigNumber is NULL, then the specified key componenet in RSA context is cleared.

+  If BigNumber is NULL, then the specified key component in RSA context is cleared.

 

   If RsaContext is NULL, then return FALSE.

 

   @param[in, out]  RsaContext  Pointer to RSA context being set.

   @param[in]       KeyTag      Tag of RSA key component being set.

   @param[in]       BigNumber   Pointer to octet integer buffer.

-                               If NULL, then the specified key componenet in RSA

+                               If NULL, then the specified key component in RSA

                                context is cleared.

   @param[in]       BnSize      Size of big number buffer in bytes.

                                If BigNumber is NULL, then it is ignored.

@@ -92,7 +92,15 @@ RsaSetKey (
   IN      UINTN        BnSize

   )

 {

-  RSA  *RsaKey;

+  RSA     *RsaKey;

+  BIGNUM  *BnN;

+  BIGNUM  *BnE;

+  BIGNUM  *BnD;

+  BIGNUM  *BnP;

+  BIGNUM  *BnQ;

+  BIGNUM  *BnDp;

+  BIGNUM  *BnDq;

+  BIGNUM  *BnQInv;

 

   //

   // Check input parameters.

@@ -101,7 +109,23 @@ RsaSetKey (
     return FALSE;

   }

 

+  BnN    = NULL;

+  BnE    = NULL;

+  BnD    = NULL;

+  BnP    = NULL;

+  BnQ    = NULL;

+  BnDp   = NULL;

+  BnDq   = NULL;

+  BnQInv = NULL;

+

+  //

+  // Retrieve the components from RSA object.

+  //

   RsaKey = (RSA *) RsaContext;

+  RSA_get0_key (RsaKey, (const BIGNUM **)&BnN, (const BIGNUM **)&BnE, (const BIGNUM **)&BnD);

+  RSA_get0_factors (RsaKey, (const BIGNUM **)&BnP, (const BIGNUM **)&BnQ);

+  RSA_get0_crt_params (RsaKey, (const BIGNUM **)&BnDp, (const BIGNUM **)&BnDq, (const BIGNUM **)&BnQInv);

+

   //

   // Set RSA Key Components by converting octet string to OpenSSL BN representation.

   // NOTE: For RSA public key (used in signature verification), only public components

@@ -110,144 +134,109 @@ RsaSetKey (
   switch (KeyTag) {

 

   //

-  // RSA Public Modulus (N)

+  // RSA Public Modulus (N), Public Exponent (e) and Private Exponent (d)

   //

   case RsaKeyN:

-    if (RsaKey->n != NULL) {

-      BN_free (RsaKey->n);

-    }

-    RsaKey->n = NULL;

-    if (BigNumber == NULL) {

-      break;

-    }

-    RsaKey->n = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->n);

-    if (RsaKey->n == NULL) {

-      return FALSE;

-    }

-

-    break;

-

-  //

-  // RSA Public Exponent (e)

-  //

   case RsaKeyE:

-    if (RsaKey->e != NULL) {

-      BN_free (RsaKey->e);

+  case RsaKeyD:

+    if (BnN == NULL) {

+      BnN = BN_new ();

     }

-    RsaKey->e = NULL;

-    if (BigNumber == NULL) {

-      break;

+    if (BnE == NULL) {

+      BnE = BN_new ();

     }

-    RsaKey->e = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->e);

-    if (RsaKey->e == NULL) {

-      return FALSE;

+    if (BnD == NULL) {

+      BnD = BN_new ();

     }

 

-    break;

-

-  //

-  // RSA Private Exponent (d)

-  //

-  case RsaKeyD:

-    if (RsaKey->d != NULL) {

-      BN_free (RsaKey->d);

-    }

-    RsaKey->d = NULL;

-    if (BigNumber == NULL) {

-      break;

-    }

-    RsaKey->d = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->d);

-    if (RsaKey->d == NULL) {

+    if ((BnN == NULL) || (BnE == NULL) || (BnD == NULL)) {

       return FALSE;

     }

 

-    break;

-

-  //

-  // RSA Secret Prime Factor of Modulus (p)

-  //

-  case RsaKeyP:

-    if (RsaKey->p != NULL) {

-      BN_free (RsaKey->p);

-    }

-    RsaKey->p = NULL;

-    if (BigNumber == NULL) {

+    switch (KeyTag) {

+    case RsaKeyN:

+      BnN = BN_bin2bn (BigNumber, (UINT32)BnSize, BnN);

+      break;

+    case RsaKeyE:

+      BnE = BN_bin2bn (BigNumber, (UINT32)BnSize, BnE);

       break;

+    case RsaKeyD:

+      BnD = BN_bin2bn (BigNumber, (UINT32)BnSize, BnD);

+      break;

+    default:

+      return FALSE;

     }

-    RsaKey->p = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->p);

-    if (RsaKey->p == NULL) {

+    if (RSA_set0_key (RsaKey, BN_dup(BnN), BN_dup(BnE), BN_dup(BnD)) == 0) {

       return FALSE;

     }

 

     break;

 

   //

-  // RSA Secret Prime Factor of Modules (q)

+  // RSA Secret Prime Factor of Modulus (p and q)

   //

+  case RsaKeyP:

   case RsaKeyQ:

-    if (RsaKey->q != NULL) {

-      BN_free (RsaKey->q);

+    if (BnP == NULL) {

+      BnP = BN_new ();

     }

-    RsaKey->q = NULL;

-    if (BigNumber == NULL) {

-      break;

+    if (BnQ == NULL) {

+      BnQ = BN_new ();

     }

-    RsaKey->q = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->q);

-    if (RsaKey->q == NULL) {

+    if ((BnP == NULL) || (BnQ == NULL)) {

       return FALSE;

     }

 

-    break;

-

-  //

-  // p's CRT Exponent (== d mod (p - 1))

-  //

-  case RsaKeyDp:

-    if (RsaKey->dmp1 != NULL) {

-      BN_free (RsaKey->dmp1);

-    }

-    RsaKey->dmp1 = NULL;

-    if (BigNumber == NULL) {

+    switch (KeyTag) {

+    case RsaKeyP:

+      BnP = BN_bin2bn (BigNumber, (UINT32)BnSize, BnP);

       break;

+    case RsaKeyQ:

+      BnQ = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQ);

+      break;

+    default:

+      return FALSE;

     }

-    RsaKey->dmp1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmp1);

-    if (RsaKey->dmp1 == NULL) {

+    if (RSA_set0_factors (RsaKey, BN_dup(BnP), BN_dup(BnQ)) == 0) {

       return FALSE;

     }

 

     break;

 

   //

-  // q's CRT Exponent (== d mod (q - 1))

+  // p's CRT Exponent (== d mod (p - 1)),  q's CRT Exponent (== d mod (q - 1)),

+  // and CRT Coefficient (== 1/q mod p)

   //

+  case RsaKeyDp:

   case RsaKeyDq:

-    if (RsaKey->dmq1 != NULL) {

-      BN_free (RsaKey->dmq1);

+  case RsaKeyQInv:

+    if (BnDp == NULL) {

+      BnDp = BN_new ();

     }

-    RsaKey->dmq1 = NULL;

-    if (BigNumber == NULL) {

-      break;

+    if (BnDq == NULL) {

+      BnDq = BN_new ();

     }

-    RsaKey->dmq1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmq1);

-    if (RsaKey->dmq1 == NULL) {

+    if (BnQInv == NULL) {

+      BnQInv = BN_new ();

+    }

+    if ((BnDp == NULL) || (BnDq == NULL) || (BnQInv == NULL)) {

       return FALSE;

     }

 

-    break;

-

-  //

-  // The CRT Coefficient (== 1/q mod p)

-  //

-  case RsaKeyQInv:

-    if (RsaKey->iqmp != NULL) {

-      BN_free (RsaKey->iqmp);

-    }

-    RsaKey->iqmp = NULL;

-    if (BigNumber == NULL) {

+    switch (KeyTag) {

+    case RsaKeyDp:

+      BnDp = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDp);

+      break;

+    case RsaKeyDq:

+      BnDq = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDq);

+      break;

+    case RsaKeyQInv:

+      BnQInv = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQInv);

       break;

+    default:

+      return FALSE;

     }

-    RsaKey->iqmp = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->iqmp);

-    if (RsaKey->iqmp == NULL) {

+    if (RSA_set0_crt_params (RsaKey, BN_dup(BnDp), BN_dup(BnDq), BN_dup(BnQInv)) == 0) {

       return FALSE;

     }

 

@@ -311,11 +300,11 @@ RsaPkcs1Verify (
   case MD5_DIGEST_SIZE:

     DigestType = NID_md5;

     break;

-    

+

   case SHA1_DIGEST_SIZE:

     DigestType = NID_sha1;

     break;

-    

+

   case SHA256_DIGEST_SIZE:

     DigestType = NID_sha256;

     break;