* New upstream release.debian/15+1533136590.3beb971-1

  - debian/patches/second-stage-path: dropped; the default loader path now
    includes an arch suffix.
  - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
  - debian/copyright: Update upstream source location.
  - debian/control: add a Build-Depends on libelf-dev.
  - Enable arm64 build.
  - debian/patches/fixup_git.patch: don't run git in clean; we're not
    really in a git tree.
  - debian/rules, debian/shim.install: use the upstream install target as
    intended, and move files to the target directory using dh_install.
  - define RELEASE and COMMIT_ID for the snapshot.
  - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
    options: set MAKELEVEL.
  - Define an EFI_ARCH variable, and use that for paths to shim. This
    makes it possible to build a shim for other architectures than amd64.
  - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
    in the "right" final directories, and makes boot.csv for us.
  - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
    at compile-time for MokManager and fallback.
  - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
    and MokManager.

1 files changed, 16 insertions, 8 deletions

diff --git a/Cryptlib/Pk/CryptTs.c b/Cryptlib/Pk/CryptTs.c
index d4958122..d63c23df 100644
--- a/Cryptlib/Pk/CryptTs.c
+++ b/Cryptlib/Pk/CryptTs.c
@@ -5,7 +5,7 @@
   the lifetime of the signature when a signing certificate expires or is later

   revoked.

 

-Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>

+Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.<BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -239,7 +239,7 @@ CheckTSTInfo (
   TS_MESSAGE_IMPRINT  *Imprint;

   X509_ALGOR          *HashAlgo;

   CONST EVP_MD        *Md;

-  EVP_MD_CTX          MdCtx;

+  EVP_MD_CTX          *MdCtx;

   UINTN               MdSize;

   UINT8               *HashedMsg;

 

@@ -249,6 +249,7 @@ CheckTSTInfo (
   Status    = FALSE;

   HashAlgo  = NULL;

   HashedMsg = NULL;

+  MdCtx     = NULL;

 

   //

   // -- Check version number of Timestamp:

@@ -285,11 +286,17 @@ CheckTSTInfo (
   if (HashedMsg == NULL) {

     goto _Exit;

   }

-  EVP_DigestInit (&MdCtx, Md);

-  EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);

-  EVP_DigestFinal (&MdCtx, HashedMsg, NULL);

+  MdCtx = EVP_MD_CTX_new ();

+  if (MdCtx == NULL) {

+    goto _Exit;

+  }

+  if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) ||

+      (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) ||

+      (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) {

+    goto _Exit;

+  }

   if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&

-      (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {

+      (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) {

     goto _Exit;

   }

 

@@ -315,6 +322,7 @@ CheckTSTInfo (
 

 _Exit:

   X509_ALGOR_free (HashAlgo);

+  EVP_MD_CTX_free (MdCtx);

   if (HashedMsg != NULL) {

     FreePool (HashedMsg);

   }

@@ -323,7 +331,7 @@ _Exit:
 }

 

 /**

-  Verifies the validility of a TimeStamp Token as described in RFC 3161 ("Internet

+  Verifies the validity of a TimeStamp Token as described in RFC 3161 ("Internet

   X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)").

 

   If TSToken is NULL, then return FALSE.

@@ -497,7 +505,7 @@ _Exit:
 }

 

 /**

-  Verifies the validility of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode

+  Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode

   signature.

 

   If AuthData is NULL, then return FALSE.