File ovmf-bsc990612-update-openssl-1.0.2h.patch of Package ovmf.6358

From 535421d25307a1c212a5f514048229b8ab429d5d Mon Sep 17 00:00:00 2001
From: Qin Long <qin.long@intel.com>
Date: Wed, 13 Jul 2016 13:27:11 +0800
Subject: [PATCH] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2h

OpenSSL 1.0.2h was released with several severity fixes at
03-May-2016 (https://www.openssl.org/news/secadv/20160503.txt).
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to
catch the latest release 1.0.2h.

Cc: Ting Ye <ting.ye@intel.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
---
 CryptoPkg/CryptoPkg.dec                            |  2 +-
 ...ssl-1.0.2g.patch => EDKII_openssl-1.0.2h.patch} | 97 ++++++++++------------
 CryptoPkg/Library/OpensslLib/Install.cmd           |  2 +-
 CryptoPkg/Library/OpensslLib/Install.sh            |  2 +-
 CryptoPkg/Library/OpensslLib/OpensslLib.inf        |  2 +-
 CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt       | 26 +++---
 6 files changed, 62 insertions(+), 69 deletions(-)
 rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2g.patch => EDKII_openssl-1.0.2h.patch} (95%)

diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index e1cdb8e..c0885bb 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -24,7 +24,7 @@ [Defines]
 
 [Includes]
   Include
-  Library/OpensslLib/openssl-1.0.2g/include
+  Library/OpensslLib/openssl-1.0.2h/include
 
 [LibraryClasses]
   ##  @libraryclass  Provides basic library functions for cryptographic primitives.
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2g.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch
similarity index 95%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2g.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch
index 25dbebc..559fc67 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2g.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch
@@ -254,7 +254,7 @@ index d5a5514..bede55c 100644
          goto err;
  
 diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
-index 1d25687..e933ead 100644
+index 1d25687..ad641c3 100644
 --- a/crypto/bn/bn_prime.c
 +++ b/crypto/bn/bn_prime.c
 @@ -131,7 +131,7 @@
@@ -277,7 +277,7 @@ index 1d25687..e933ead 100644
  
 +    mods = OPENSSL_malloc(sizeof(*mods) * NUMPRIMES);
 +    if (mods == NULL)
-+	    goto err;
++        goto err;
      ctx = BN_CTX_new();
      if (ctx == NULL)
          goto err;
@@ -311,7 +311,7 @@ index 1d25687..e933ead 100644
  
   again:
 diff --git a/crypto/conf/conf.h b/crypto/conf/conf.h
-index 8d926d5..41cf38e 100644
+index 8d926d5..c29e97d 100644
 --- a/crypto/conf/conf.h
 +++ b/crypto/conf/conf.h
 @@ -118,8 +118,10 @@ typedef void conf_finish_func (CONF_IMODULE *md);
@@ -329,9 +329,9 @@ index 8d926d5..41cf38e 100644
  long CONF_get_number(LHASH_OF(CONF_VALUE) *conf, const char *group,
                       const char *name);
  void CONF_free(LHASH_OF(CONF_VALUE) *conf);
-+#ifndef OPENSSL_NO_FP_API
++# ifndef OPENSSL_NO_FP_API
  int CONF_dump_fp(LHASH_OF(CONF_VALUE) *conf, FILE *out);
-+#endif
++# endif
  int CONF_dump_bio(LHASH_OF(CONF_VALUE) *conf, BIO *out);
  
  void OPENSSL_config(const char *config_name);
@@ -349,9 +349,9 @@ index 8d926d5..41cf38e 100644
  char *NCONF_get_string(const CONF *conf, const char *group, const char *name);
  int NCONF_get_number_e(const CONF *conf, const char *group, const char *name,
                         long *result);
-+#ifndef OPENSSL_NO_FP_API
++# ifndef OPENSSL_NO_FP_API
  int NCONF_dump_fp(const CONF *conf, FILE *out);
-+#endif
++# endif
  int NCONF_dump_bio(const CONF *conf, BIO *out);
  
  # if 0                          /* The following function has no error
@@ -359,10 +359,10 @@ index 8d926d5..41cf38e 100644
  
  int CONF_modules_load(const CONF *cnf, const char *appname,
                        unsigned long flags);
-+#ifndef OPENSSL_NO_STDIO
++# ifndef OPENSSL_NO_STDIO
  int CONF_modules_load_file(const char *filename, const char *appname,
                             unsigned long flags);
-+#endif
++# endif
  void CONF_modules_unload(int all);
  void CONF_modules_finish(void);
  void CONF_modules_free(void);
@@ -684,10 +684,10 @@ index a5bd901..6488879 100644
  /* BEGIN ERROR CODES */
  /*
 diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c
-index a882cb2..4eddb9a 100644
+index a882cb2..aace5fb 100644
 --- a/crypto/dh/dh_kdf.c
 +++ b/crypto/dh/dh_kdf.c
-@@ -51,13 +51,18 @@
+@@ -51,6 +51,9 @@
   * ====================================================================
   */
  
@@ -697,22 +697,21 @@ index a882cb2..4eddb9a 100644
  #include <string.h>
  #include <openssl/dh.h>
  #include <openssl/evp.h>
- #include <openssl/asn1.h>
+@@ -58,6 +61,7 @@
  #include <openssl/cms.h>
  
-+
  /* Key derivation from X9.42/RFC2631 */
 +/* Uses CMS functions, hence the #ifdef wrapper. */
  
  #define DH_KDF_MAX      (1L << 30)
  
-@@ -185,3 +190,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
+@@ -185,3 +189,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
      EVP_MD_CTX_cleanup(&mctx);
      return rv;
  }
 +#endif
 diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
-index b58e3fa..c6288f6 100644
+index b58e3fa..926be98 100644
 --- a/crypto/dh/dh_pmeth.c
 +++ b/crypto/dh/dh_pmeth.c
 @@ -207,7 +207,11 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
@@ -727,7 +726,7 @@ index b58e3fa..c6288f6 100644
              return -2;
          dctx->kdf_type = p1;
          return 1;
-@@ -448,7 +452,10 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+@@ -448,7 +452,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
              return ret;
          *keylen = ret;
          return 1;
@@ -735,11 +734,10 @@ index b58e3fa..c6288f6 100644
 +    }
 +#ifndef OPENSSL_NO_CMS
 +    else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
-+
          unsigned char *Z = NULL;
          size_t Zlen = 0;
          if (!dctx->kdf_outlen || !dctx->kdf_oid)
-@@ -479,7 +486,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+@@ -479,7 +485,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
          }
          return ret;
      }
@@ -945,7 +943,7 @@ index 7a1c85d..7162c0f 100644
  #undef BN_LLONG
  
 diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h
-index d3b23fc..87b0b6a 100644
+index d3b23fc..5df6ffd 100644
 --- a/crypto/pem/pem.h
 +++ b/crypto/pem/pem.h
 @@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
@@ -980,17 +978,16 @@ index d3b23fc..87b0b6a 100644
  int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
                             char *kstr, int klen,
                             pem_password_cb *cb, void *u);
-@@ -510,7 +514,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
+@@ -510,6 +514,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
  int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
                                char *kstr, int klen, pem_password_cb *cd,
                                void *u);
--
 +#endif
+ 
  EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
  int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x);
- 
 diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
-index a29821a..5525efd 100644
+index fe881d6..e25cc68 100644
 --- a/crypto/pem/pem_lib.c
 +++ b/crypto/pem/pem_lib.c
 @@ -84,7 +84,7 @@ int pem_check_suffix(const char *pem_str, const char *suffix);
@@ -1003,38 +1000,35 @@ index a29821a..5525efd 100644
       * We should not ever call the default callback routine from windows.
       */
 diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
-index 5747c73..fe465cc 100644
+index 5747c73..9edca4d 100644
 --- a/crypto/pem/pem_pk8.c
 +++ b/crypto/pem/pem_pk8.c
-@@ -69,10 +69,12 @@
+@@ -69,9 +69,11 @@
  static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
                        int nid, const EVP_CIPHER *enc,
                        char *kstr, int klen, pem_password_cb *cb, void *u);
-+
 +#ifndef OPENSSL_NO_FP_API
  static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
                           int nid, const EVP_CIPHER *enc,
                           char *kstr, int klen, pem_password_cb *cb, void *u);
--
 +#endif
+ 
  /*
   * These functions write a private key in PKCS#8 format: it is a "drop in"
-  * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
 diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
-index dc9b484..0bc3d43 100644
+index dc9b484..e75c4b2 100644
 --- a/crypto/pkcs7/pk7_smime.c
 +++ b/crypto/pkcs7/pk7_smime.c
-@@ -64,6 +64,9 @@
+@@ -64,6 +64,8 @@
  #include <openssl/x509.h>
  #include <openssl/x509v3.h>
  
-+
 +#define BUFFERSIZE 4096
 +
  static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
  
  PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
-@@ -254,7 +257,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+@@ -254,7 +256,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
      STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
      PKCS7_SIGNER_INFO *si;
      X509_STORE_CTX cert_ctx;
@@ -1043,7 +1037,7 @@ index dc9b484..0bc3d43 100644
      int i, j = 0, k, ret = 0;
      BIO *p7bio = NULL;
      BIO *tmpin = NULL, *tmpout = NULL;
-@@ -373,8 +376,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+@@ -373,8 +375,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
          tmpout = out;
  
      /* We now have to 'read' from p7bio to calculate digests etc. */
@@ -1057,7 +1051,7 @@ index dc9b484..0bc3d43 100644
          if (i <= 0)
              break;
          if (tmpout)
-@@ -405,6 +412,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+@@ -405,6 +411,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
      ret = 1;
  
   err:
@@ -1065,7 +1059,7 @@ index dc9b484..0bc3d43 100644
      if (tmpin == indata) {
          if (indata)
              BIO_pop(p7bio);
-@@ -523,7 +531,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
+@@ -523,7 +530,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
  {
      BIO *tmpmem;
      int ret, i;
@@ -1074,7 +1068,7 @@ index dc9b484..0bc3d43 100644
  
      if (!p7) {
          PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_INVALID_NULL_POINTER);
-@@ -567,24 +575,29 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
+@@ -567,24 +574,30 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
          }
          BIO_free_all(bread);
          return ret;
@@ -1116,6 +1110,7 @@ index dc9b484..0bc3d43 100644
 -        BIO_free_all(tmpmem);
 -        return ret;
      }
++
 +err:
 +    OPENSSL_free(buf);
 +    BIO_free_all(tmpmem);
@@ -1222,20 +1217,19 @@ index 4e06218..ddead3d 100644
  const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
      {
 diff --git a/crypto/srp/srp.h b/crypto/srp/srp.h
-index 028892a..713fc54 100644
+index 028892a..4ed4bfe 100644
 --- a/crypto/srp/srp.h
 +++ b/crypto/srp/srp.h
-@@ -119,8 +119,9 @@ DECLARE_STACK_OF(SRP_gN)
+@@ -119,7 +119,9 @@ DECLARE_STACK_OF(SRP_gN)
  
  SRP_VBASE *SRP_VBASE_new(char *seed_key);
  int SRP_VBASE_free(SRP_VBASE *vb);
 +#ifndef OPENSSL_NO_STDIO
  int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
--
 +#endif
+ 
  /* This method ignores the configured seed and fails for an unknown user. */
  SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
- /* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
 diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
 index 26ad3e0..6be4cf2 100644
 --- a/crypto/srp/srp_vfy.c
@@ -1950,7 +1944,7 @@ index f6b3ff2..1dcbe36 100755
  		     SEED,-
  		     SHA,-
 diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index d1fc716..d5f661a 100644
+index 5d26c94..ee3f49b 100644
 --- a/ssl/d1_both.c
 +++ b/ssl/d1_both.c
 @@ -1053,7 +1053,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
@@ -2002,15 +1996,14 @@ index 35cc27c..a1f5335 100644
          } else {
              ret->sid_ctx_length = os.length;
 diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
-index a73f866..d534c0a 100644
+index f48ebae..ac4f08c 100644
 --- a/ssl/ssl_cert.c
 +++ b/ssl/ssl_cert.c
-@@ -855,12 +855,13 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
+@@ -857,12 +857,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
      return (add_client_CA(&(ctx->client_CA), x));
  }
  
 +#ifndef OPENSSL_NO_STDIO
-+
  static int xname_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
  {
      return (X509_NAME_cmp(*a, *b));
@@ -2020,7 +2013,7 @@ index a73f866..d534c0a 100644
  /**
   * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
   * it doesn't really have anything to do with clients (except that a common use
-@@ -928,7 +929,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
+@@ -930,7 +930,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
          ERR_clear_error();
      return (ret);
  }
@@ -2028,7 +2021,7 @@ index a73f866..d534c0a 100644
  
  /**
   * Add a file of certs to a stack.
-@@ -1048,6 +1048,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+@@ -1050,6 +1049,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
      CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
      return ret;
  }
@@ -2108,7 +2101,7 @@ index baa3b59..1ee3f02 100644
  if ($? == 0)
  	{
 diff --git a/util/libeay.num b/util/libeay.num
-index e5b3c6e..8d4185c 100755
+index 2094ab3..992abb2 100755
 --- a/util/libeay.num
 +++ b/util/libeay.num
 @@ -4370,7 +4370,7 @@ DH_compute_key_padded                   4732	EXIST::FUNCTION:DH
@@ -2121,7 +2114,7 @@ index e5b3c6e..8d4185c 100755
  EVP_des_ede3_wrap                       4737	EXIST::FUNCTION:DES
  RSA_OAEP_PARAMS_it                      4738	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
 diff --git a/util/mkdef.pl b/util/mkdef.pl
-index c57c7f7..d4c3386 100755
+index b9b159a..9841498 100755
 --- a/util/mkdef.pl
 +++ b/util/mkdef.pl
 @@ -97,6 +97,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
@@ -2133,7 +2126,7 @@ index c57c7f7..d4c3386 100755
  			 # RFC3779
  			 "RFC3779",
  			 # TLS
-@@ -142,7 +144,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
+@@ -144,7 +146,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
  my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
  my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
  my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
@@ -2141,8 +2134,8 @@ index c57c7f7..d4c3386 100755
 +my $no_sct; my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
  my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; 
  my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
- my $no_unit_test; my $no_ssl3_method;
-@@ -233,6 +235,7 @@ foreach (@ARGV, split(/ /, $options))
+ my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method;
+@@ -235,6 +237,7 @@ foreach (@ARGV, split(/ /, $options))
  	elsif (/^no-engine$/)	{ $no_engine=1; }
  	elsif (/^no-hw$/)	{ $no_hw=1; }
  	elsif (/^no-gmp$/)	{ $no_gmp=1; }
@@ -2150,7 +2143,7 @@ index c57c7f7..d4c3386 100755
  	elsif (/^no-rfc3779$/)	{ $no_rfc3779=1; }
  	elsif (/^no-tlsext$/)	{ $no_tlsext=1; }
  	elsif (/^no-cms$/)	{ $no_cms=1; }
-@@ -1206,6 +1209,7 @@ sub is_valid
+@@ -1209,6 +1212,7 @@ sub is_valid
  			if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
  			if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
  			if ($keyword eq "GMP" && $no_gmp) { return 0; }
diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index 51e5414..83d04d7 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,4 +1,4 @@
-cd openssl-1.0.2g
+cd openssl-1.0.2h
 copy ..\opensslconf.h           crypto
 if not exist include\openssl mkdir include\openssl
 copy e_os2.h                    include\openssl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 06f1dcd..95963ff 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-cd openssl-1.0.2g
+cd openssl-1.0.2h
 cp ../opensslconf.h           crypto
 mkdir -p                      include/openssl
 cp e_os2.h                    include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 8757100..361d30e 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,7 +20,7 @@ [Defines]
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
-  DEFINE OPENSSL_PATH            = openssl-1.0.2g
+  DEFINE OPENSSL_PATH            = openssl-1.0.2h
   DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
 
 #
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index 7db1451..f836736 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
 ================================================================================
                                 OpenSSL-Version
 ================================================================================
-  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2g.
-    http://www.openssl.org/source/openssl-1.0.2g.tar.gz
+  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2h.
+    http://www.openssl.org/source/openssl-1.0.2h.tar.gz
 
 
 ================================================================================
                       HOW to Install Openssl for UEFI Building
 ================================================================================
-1.  Download OpenSSL 1.0.2g from official website:
-    http://www.openssl.org/source/openssl-1.0.2g.tar.gz
+1.  Download OpenSSL 1.0.2h from official website:
+    http://www.openssl.org/source/openssl-1.0.2h.tar.gz
 
-    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2g.tar.tar.
-          When you do the download, rename the "openssl-1.0.2g.tar.tar" to
-          "openssl-1.0.2g.tar.gz" or rename the local downloaded file with ".tar.tar"
+    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2h.tar.tar.
+          When you do the download, rename the "openssl-1.0.2h.tar.tar" to
+          "openssl-1.0.2h.tar.gz" or rename the local downloaded file with ".tar.tar"
           extension to ".tar.gz".
 
-2.  Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2g
+2.  Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2h
 
     NOTE: If you use WinZip to unpack the openssl source in Windows, please
           uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
           Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
 
-3.  Apply this patch: EDKII_openssl-1.0.2g.patch, and make installation
+3.  Apply this patch: EDKII_openssl-1.0.2h.patch, and make installation
 
     For Windows Environment:
     ------------------------
     1) Make sure the patch utility has been installed in your machine.
        Install Cygwin or get the patch utility binary from
           http://gnuwin32.sourceforge.net/packages/patch.htm
-    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2g
-    3) patch -p1 -i ..\EDKII_openssl-1.0.2g.patch
+    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2h
+    3) patch -p1 -i ..\EDKII_openssl-1.0.2h.patch
     4) cd ..
     5) Install.cmd
 
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
     -----------------------
     1) Make sure the patch utility has been installed in your machine.
        Patch utility is available from http://directory.fsf.org/project/patch/
-    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2g
-    3) patch -p1 -i ../EDKII_openssl-1.0.2g.patch
+    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2h
+    3) patch -p1 -i ../EDKII_openssl-1.0.2h.patch
     4) cd ..
     5) ./Install.sh
 
-- 
2.9.2
openSUSE Build Service is sponsored by